북한 라자루스(Lazarus) 산하 BlueNorOff(블루노로프) 만든 맥OS 악성코드-ProcessRequest(2023.11.7)
2023-11-13 • Sakai • Mac OS malware created by BlueNorOff, a North Korean affiliate of Lazarus - ProcessRequest (2023.11.7) •
BlueNorOff is described as using ProcessRequest, a macOS malware sample aimed at cryptocurrency related targets such as exchanges, venture capital firms, and banks. The sample is temporarily signed and operates as a simple Objective-C remote shell that can run commands received from the attacker server. The source notes that the malware splits command and control URL strings to hinder static detection and references SwissBorg themed infrastructure as part of the analysis. Hashes for the ProcessRequest sample are provided, including SHA-256 8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 104.168.214.151 | 2023-11-07 | 2025-10-28 |
| HASH | 8bfa4fe0534c0062393b6a2597c3491… | 2023-11-13 | 2024-12-27 |
| HASH | 79337ccda23c67f8cfd9f43a6d3cf05… | 2023-11-07 | 2023-11-27 |
| HASH | 9294648d744703cfa0456ec74d014fe4 | 2023-11-13 | 2023-11-13 |
| IPv4 | 142.250.9.94 | 2023-11-13 | 2023-11-13 |
| IPv4 | 54.80.119.162 | 2023-11-13 | 2023-11-13 |
| IPv4 | 184.25.164.143 | 2023-11-13 | 2023-11-13 |
| IPv4 | 17.248.195.72 | 2023-11-13 | 2023-11-13 |
| IPv4 | 17.253.20.253 | 2023-11-13 | 2023-11-13 |
| IPv4 | 23.33.241.186 | 2023-11-13 | 2023-11-13 |
| IPv4 | 23.47.64.173 | 2023-11-13 | 2023-11-13 |
| IPv4 | 17.248.200.66 | 2023-11-13 | 2023-11-13 |
| IPv4 | 17.248.186.177 | 2023-11-13 | 2023-11-13 |
| IPv4 | 192.229.211.108 | 2023-11-13 | 2023-11-13 |
| IPv4 | 17.32.194.2 | 2023-11-13 | 2023-11-13 |
| IPv4 | 17.253.7.207 | 2023-11-13 | 2023-11-13 |
| IPv4 | 23.55.60.32 | 2023-11-13 | 2023-11-13 |
| IPv4 | 23.47.64.24 | 2023-11-13 | 2023-11-13 |
| IPv4 | 104.76.210.89 | 2023-11-13 | 2023-11-13 |
| IPv4 | 74.125.136.101 | 2023-11-13 | 2023-11-13 |
| DOMAIN | swissborg.com | 2023-11-07 | 2023-11-13 |