북한 라자루스(Lazarus) 산하 BlueNorOff(블루노로프) 만든 맥OS 악성코드-Internal PDF Viewer(2023.4.23)
2023-04-27 • Sakai • Mac OS malware created by BlueNorOff, a North Korean affiliate of Lazarus - Internal PDF Viewer (2023.4.23) •
The Korean analysis attributes the macOS malware sample “Internal PDF Viewer” to BlueNorOff under Lazarus and describes it as RustBucket-like malware that communicates with command-and-control infrastructure to download and run additional payloads. The source provides hashes for the sample and walks through macOS code routines, including data encryption logic and document-opening behavior, indicating the report is focused on reverse engineering rather than a live victim incident. It frames the activity as targeting MacBook/macOS users and cryptocurrency-related objectives, but the stronger evidence in the excerpt is the sample analysis, C2/payload behavior, and claimed BlueNorOff/Lazarus linkage.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e0e42ac374443500c23672134161286… | 2023-04-27 | 2023-07-05 |
| HASH | f8800dd176487601ccf2e27c094b297b | 2023-04-27 | 2023-05-22 |
| HASH | e74e8cdf887ae2de25590c55cb52dad… | 2023-04-27 | 2023-05-22 |
| IPv4 | 23.198.249.163 | 2023-04-27 | 2023-04-27 |
| IPv4 | 67.195.228.56 | 2023-04-27 | 2023-04-27 |
| IPv4 | 23.44.229.223 | 2023-04-27 | 2023-04-27 |
| IPv4 | 17.125.250.130 | 2023-04-27 | 2023-04-27 |
| IPv4 | 17.253.27.202 | 2023-04-27 | 2023-04-27 |
| IPv4 | 17.250.99.79 | 2023-04-27 | 2023-04-27 |
| IPv4 | 23.198.226.30 | 2023-04-27 | 2023-04-27 |
| IPv4 | 23.75.68.149 | 2023-04-27 | 2023-04-27 |
| IPv4 | 104.76.210.15 | 2023-04-27 | 2023-04-27 |
| IPv4 | 17.250.99.100 | 2023-04-27 | 2023-04-27 |
| IPv4 | 23.62.216.24 | 2023-04-27 | 2023-04-27 |
| IPv4 | 54.189.10.237 | 2023-04-27 | 2023-04-27 |
| IPv4 | 72.21.91.29 | 2023-04-27 | 2023-04-27 |
| IPv4 | 23.198.224.36 | 2023-04-27 | 2023-04-27 |
| IPv4 | 67.195.204.56 | 2023-04-27 | 2023-04-27 |
| IPv4 | 184.25.164.217 | 2023-04-27 | 2023-04-27 |