North Korean hacking group ‘BlueNoroff’ using macOS malware to target financial institutions

    n this article, we delve into the escalating cybersecurity threat posed by BlueNoroff, an advanced persistent threat group targeting financial institutions with macOS-specific malware. This group’s tactics, the malware they employ, and their impact on the financial sector are explored.

    The BlueNoroff Menace

    BlueNoroff, a subgroup of the notorious Lazarus group, has been identified by the U.S. Treasury Department as a North Korea-backed government hacker collective. They are known for their relentless pursuit of financial gain through cyber attacks.

    ObjCShellz: A Notably Simple Menace

    The malware of choice for BlueNoroff in this campaign is ObjCShellz, which stands out for its simplicity. Unlike typical complex malware, this simplicity grants it an added layer of sophistication, making detection more challenging. Social engineering attacks serve as the initial delivery method, with the malware quietly collecting data from infected macOS devices.

    Stealth and Deception: BlueNoroff’s Trademark

    One of BlueNoroff’s trademark strategies is to create domains that mimic legitimate cryptocurrency companies, allowing them to blend in with normal network activity. For instance, during this campaign, they used the domain swissborg[.]blog, registered in a manner to appear as a knock-off of the legitimate crypto exchange

    A History of Ambitious Heists

    BlueNoroff has a dark history of targeting financial institutions and cryptocurrency companies, with reported attempts to steal over $1.1 billion from various targets. This persistent threat is exacerbated by the group’s ongoing development of new and sophisticated malware. The initial undiscovered status of their malware on VirusTotal at the time of upload suggests that BlueNoroff is actively evading detection efforts.

    A Broader Context

    In the broader context of North Korea’s state-sponsored hacking groups, some accusations stolen funds are used to support the country’s nuclear missile program. In 2019, the U.S. Treasury Department sanctioned BlueNoroff for conducting cyber-enabled heists against foreign financial institutions on behalf of North Korea, generating revenue for these illicit activities.

    A Trail of High-Profile Attacks

    BlueNoroff’s notoriety extends to its involvement in multiple high-profile attacks. These include the theft of $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account and a $55 million heist from the bZx DeFi platform in 2021. Russian security firm Kaspersky has also linked BlueNoroff to numerous hacks at various financial institutions and cryptocurrency companies across multiple countries globally.


    In conclusion, the relentless and evolving threat posed by BlueNoroff highlights the critical need for robust cybersecurity measures, especially in the face of state-sponsored hacking groups. With their significant history of financial cybercrime, BlueNoroff remains a formidable adversary, reinforcing the importance of continued vigilance and proactive defenses in the financial sector.

    Latest articles

    Related articles