Security researchers have identified a new macOS backdoor named SpectralBlur, with connections to a known malware family associated with North Korean threat actors. SpectralBlur, described as a moderately capable backdoor, shares similarities with KANDYKORN, an advanced implant functioning as a remote access trojan with control over compromised hosts. The discovery suggests an increasing interest from North Korean threat actors in targeting macOS, specifically focusing on high-value sectors like cryptocurrency and blockchain. The overlap between SpectralBlur and KANDYKORN points to a potential collaboration or shared requirements among different developers in crafting these malicious tools.
Notably, SpectralBlur stands out for its efforts to hinder analysis and evade detection. The malware employs tactics such as using grantpt to set up a pseudo-terminal and executing shell commands received from the command-and-control server. Security researcher Patrick Wardle highlighted that the Mach-O binary of SpectralBlur was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia, providing additional insights into the origins of the threat. The broader context reveals a concerning trend, with 21 new macOS-targeting malware families discovered in 2023, including ransomware, information stealers, remote access trojans, and nation-state-backed malware—a significant increase from the 13 identified in 2022.
As macOS continues to gain popularity, especially in enterprise environments, experts anticipate a surge in new macOS malware throughout 2024. This emphasizes the critical need for enhanced cybersecurity measures and ongoing vigilance to protect against evolving threats targeting Apple’s operating system. The findings underscore the dynamic landscape of cyber threats, with threat actors adapting their tactics to exploit the growing user base of macOS, particularly in sectors with valuable assets like cryptocurrency and blockchain.