New BlueNoroff loader for macOS
2023-12-05 • Kaspersky •
Kaspersky analyzed a new macOS loader likely linked to BlueNoroff's RustBucket campaign against cryptocurrency and financial targets. The ZIP archive contained a fake PDF theme, "Crypto-assets and their risks for financial stability," and a signed Swift app named EdoneViewer that decrypted an AppleScript payload. The script opened a benign PDF as a decoy, posted to the C2 server, saved a hidden /Users/Shared/.pw payload, and executed it with the C2 address as an argument. The .pw Trojan collected startup time, OS installation date, and running process data every minute, then waited for commands to execute a downloaded file, delete itself, or keep polling.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | da96876f9535e3946aff3875c5e5c05… | 2023-12-05 | 2023-12-05 |
| HASH | 90385d612877e9d360196770d73d22d6 | 2023-12-05 | 2023-12-05 |
| HASH | 611e5b662c593a08ff58d14ae22452d… | 2023-12-05 | 2023-12-05 |
| HASH | 1fddf14984c6b57358401a4587e7b950 | 2023-12-05 | 2023-12-05 |
| HASH | b1e01ae0006f449781a05f4704546b34 | 2023-12-05 | 2023-12-05 |
| HASH | 3b3b3b9f7c71fcd7239abe90c97751c0 | 2023-12-05 | 2023-12-05 |
| HASH | d8011dcca570689d72064b156647fa82 | 2023-12-05 | 2023-12-05 |
| HASH | 80c1256f8bb2a9572e20dd480ac68759 | 2023-12-05 | 2023-12-05 |
| HASH | 3b166c3b7dc4b751c9fe2afab913564… | 2023-12-05 | 2023-12-05 |
| URL | http://on-global.xyz | 2023-12-05 | 2023-12-05 |
| URL | http://on-global.xyz/Of56cYsfVV… | 2023-12-05 | 2023-12-05 |
| URL | http://on-global.xyz/Ov56cYsfVV… | 2023-12-05 | 2023-12-05 |
| DOMAIN | on-global.xyz | 2023-11-27 | 2023-12-05 |