100DaysofYARA - SpectralBlur
2024-01-03 • Greg Lesewich •
https://g-les.github.io/yara/2024/01/03/100DaysofYARA_SpectralBlur.html
Greg Lesnewich documents SpectralBlur, a macOS Mach-O backdoor tied to TA444, also tracked as Sapphire Sleet, BLUENOROFF, and STARDUST CHOLLIMA. Censys and VirusTotal monitoring of pxaltonet.org led to a .macshare sample whose retained function names exposed configuration loading, socket communications, RC4-wrapped traffic, file upload and download, shell execution, file deletion, sleep and hibernate commands. String overlap and YARA retrohunting connected SpectralBlur to early KANDYKORN or SockRacket samples, although the author treats them as related families rather than the same codebase. The post supplies YARA logic built around Mach-O traits, function names, imports, and xcrypt byte patterns for tracking emerging DPRK macOS tooling.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 6f3e849ee0fe7a6453bd0408f0537fa… | 2024-01-03 | 2024-12-13 |
| YARA | APT_NK_TA444_SpectralBlur | 2024-01-03 | 2024-01-03 |
| YARA | APT_NK_TA444_SpectralBlur_SockR… | 2024-01-03 | 2024-01-03 |
| HASH | 833902ac1aba3cee87dc52ac9f045f26 | 2024-01-03 | 2024-01-03 |
| HASH | f91801b458d875cfe61f927d16202b3… | 2024-01-03 | 2024-01-03 |
| HASH | 1d6cf7159c8dd98299798b0985f62dd… | 2024-01-03 | 2024-01-03 |
| HASH | d57a2e0c42c63659d6c09fc593fd5d2… | 2024-01-03 | 2024-01-03 |
| HASH | c99729c39d197dd774e6febab5ec33a… | 2024-01-03 | 2024-01-03 |
| HASH | 0753859738620c7394f04220e273974… | 2024-01-03 | 2024-01-03 |
| HASH | d2d60f678d0b881b3e079b46bdb813f… | 2024-01-03 | 2024-01-03 |
| DOMAIN | pxaltonet.org | 2023-11-14 | 2024-01-03 |