The Mac Malware of 2023

2024-01-01 • Objective-see •

https://objective-see.org/blog/blog_0x77.html

#macOS #SmoothOperator #RustBucket #JokerSpy #JumpCloud #KANDYKORN #ObjCShellz

Attachments

MacMalware_2023.pdf (14 MB)

Objective-See's 2023 macOS malware roundup says Lazarus Group, identified as DPRK-linked, continued to produce macOS malware during 2023. The DPRK 3CX supply chain compromise trojanized the macOS 3CX Desktop App by injecting libffmpeg.dylib, then used the trusted app launch path to survey infected systems and fetch a second-stage UpdateAgent payload. The same APT section also covers NokNok, RustBucket, and payloads tied to the JumpCloud supply chain attack, framing them as part of the year's macOS APT activity rather than commodity ransomware.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	primerosauxiliosperu.com	2023-07-12	2024-09-09
DOMAIN	msstorageboxes.com	2023-03-29	2024-09-09
HASH	4d32b7b1b7529e17f6e138c7e4146e31	2024-01-01	2024-01-01
HASH	91a5faa41d19090e1c5c1016254fd22a	2024-01-01	2024-01-01
HASH	17b84ed0f8bdbb6619d64bf686a6b99…	2024-01-01	2024-01-01
HASH	3e4bbd21756ae30c24ff7d6942656be…	2024-01-01	2024-01-01
HASH	c80c8c0e961e1692c5afdb8b3dd48e8…	2024-01-01	2024-01-01
HASH	3fc69c755c050fa09abb7c7783d66cfb	2024-01-01	2024-01-01
URL	https://primerosauxiliosperu.co…	2024-01-01	2024-01-01
URL	http://mac.cracked23.site	2024-01-01	2024-01-01
URL	https://primerosauxiliosperu.co…	2024-01-01	2024-01-01
DOMAIN	builder.osx-mac.com	2024-01-01	2024-01-01
DOMAIN	api.osx-mac.com	2024-01-01	2024-01-01
DOMAIN	mac.cracked23.site	2024-01-01	2024-01-01
DOMAIN	thepureland.io	2024-01-01	2024-01-01
IPv4	185.106.93.154	2024-01-01	2024-01-01
IPv4	193.168.141.107	2024-01-01	2024-01-01
DOMAIN	deck.31ventures.info	2023-10-13	2024-01-01
HASH	7e69cb4f9c37fad13de85e91b5a05a8…	2023-04-21	2024-01-01
URL	https://sbmsa.wiki/blog/_insert	2023-04-01	2024-01-01
DOMAIN	sbmsa.wiki	2023-04-01	2024-01-01