BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence

2024-11-07 Sentinel One

https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/

Thumbnail for BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence

SentinelLabs links the Hidden Risk campaign to DPRK BlueNoroff activity targeting cryptocurrency businesses on macOS. The campaign uses phishing emails with fake cryptocurrency news and a malicious application disguised as a PDF, including lures such as "Hidden Risk Behind New Surge of Bitcoin Price." The Swift first stage opens a decoy PDF from Google Drive, then retrieves an x86-64 Mach-O backdoor from actor controlled infrastructure such as matuaner[.]com. The malware abuses zshenv for persistence, a technique SentinelLabs highlights as novel in this activity and as part of the broader RustBucket, ThiefBucket, and KandyKorn lineage.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 7e07765bf8ee2d0b2233039623016d6… 2024-11-07 2025-02-06
DOMAIN matuaner.com 2024-11-07 2025-01-20
DOMAIN buy2x.com 2024-08-16 2025-01-20
HASH baf4da6b89b7d7cbf24c9deef5984ef… 2024-11-07 2024-11-15
HASH 05c178891ca1e65af53bbcfdbec573d… 2024-11-07 2024-11-15
HASH e5d97afa5f1501b3d5ec1a471dc8a3b… 2024-11-07 2024-11-15
HASH 3f17c5a7d1e7fd138163d8039e614b8… 2024-11-07 2024-11-15
DOMAIN arkinvst.com 2024-11-07 2024-11-08
DOMAIN analysis.arkinvst.com 2024-11-07 2024-11-08
DOMAIN maelstromfund.org 2024-11-07 2024-11-08
DOMAIN atajerefoods.com 2024-11-07 2024-11-08
IPv4 23.254.253.75 2024-11-07 2024-11-08
IPv4 144.172.74.23 2024-11-07 2024-11-08
IPv4 144.172.74.141 2024-11-07 2024-11-08
IPv4 172.86.108.47 2024-11-07 2024-11-08
IPv4 45.61.135.105 2024-11-07 2024-11-08
IPv4 45.61.128.122 2024-11-07 2024-11-08
IPv4 45.61.140.26 2024-11-07 2024-11-08
IPv4 216.107.136.10 2024-11-07 2024-11-08
DOMAIN meet.selinicapital.xyz 2024-11-07 2024-11-07
DOMAIN meeting.sellinicapital.com 2024-11-07 2024-11-07
DOMAIN info.customer-app.xyz 2024-11-07 2024-11-07
DOMAIN sellinicapital.com 2024-11-07 2024-11-07
DOMAIN verify.selinicapital.info 2024-11-07 2024-11-07
DOMAIN email.sellinicapital.com 2024-11-07 2024-11-07
DOMAIN info.ankanimatoka.com 2024-11-07 2024-11-07
DOMAIN sendmailed.com 2024-11-07 2024-11-07
DOMAIN tvdhoenn.net 2024-11-07 2024-11-07
DOMAIN doc.solanalab.org 2024-11-07 2024-11-07
DOMAIN meeting.zoom-client.com 2024-11-07 2024-11-07
DOMAIN selinicapital.info 2024-11-07 2024-11-07
DOMAIN customer-app.xyz 2024-11-07 2024-11-07
DOMAIN drogueriasanjose.net 2024-11-07 2024-11-07
DOMAIN xu10.1056.uk 2024-11-07 2024-11-07
DOMAIN pixelmonmmo.net 2024-11-07 2024-11-07
DOMAIN selincapital.com 2024-11-07 2024-11-07
DOMAIN mc.tvdhoenn.net 2024-11-07 2024-11-07
DOMAIN meet.selinicapital.info 2024-11-07 2024-11-07
DOMAIN online.selinicapital.info 2024-11-07 2024-11-07
DOMAIN zoom-client.com 2024-11-07 2024-11-07
DOMAIN sendmailer.org 2024-11-07 2024-11-07
DOMAIN nodnote.com 2024-11-07 2024-11-07
DOMAIN kalpadvisory.com 2024-11-07 2024-11-07
DOMAIN dourolab.xyz 2024-11-07 2024-11-07
DOMAIN mg21.1056.uk 2024-11-07 2024-11-07
DOMAIN shh5.baranftw.xyz 2024-11-07 2024-11-07
DOMAIN cardiagnostic.net 2024-11-07 2024-11-07
DOMAIN online.zoom-client.com 2024-11-07 2024-11-07
DOMAIN meet.sellinicapital.com 2024-11-07 2024-11-07
DOMAIN community.selincapital.com 2024-11-07 2024-11-07
DOMAIN evalaskatours.com 2024-11-07 2024-11-07
DOMAIN delphidigital.org 2024-11-07 2024-11-07
DOMAIN meet.caladangroup.xyz 2024-11-07 2024-11-07
DOMAIN hwsrv-1225327.hostwindsdns.com 2024-11-07 2024-11-07

Related Actors

Related Reports

« Back