A new macOS backdoor vulnerability that lets hackers hijack devices is the latest to plague users, here’s what you need to know

News
By
published

A newly uncovered macOS backdoor vulnerability enables hackers to covertly take control of devices, and a notorious state-backed group could be behind it

Apple logo is seen in the background of a silhouette of a person using a notebook
(Image credit: Getty Images)

Security experts have warned of a new macOS backdoor vulnerability that has enabled hackers to take over devices without users knowing.

Analysis from Greg Lesnewich, senior threat researcher at Proofpoint, outlined how he came across the new malware strain, dubbed ‘SpectralBlur’.

Internet scan data from Censys tipped Lesnewich off to a suspicious domain, where he found a suspicious file, ‘.machshare’, being downloaded from the ‘auth’ subdomain.

Lesnewich described the SpectralBlur malware as “a moderately capable backdoor, that can upload/download files, run a shell, update its configuration, delete files, hibernate or sleep, based on commands issued from the C2 [server].”

One novel aspect to the malware is its use of ‘grantpt’ to set up a pseudo-terminal and execute shell commands, as macOS security researcher Phil Stokes pointed out in response to Lesnewich’s tweet warning of the backdoor.

Delving deeper into the .macshare file led Lesnewich to find a number of similarities linking SpectralBlur to other malware strains, including KANDYKORN, or SockRacket, known to belong to BlueNorOff, or TA444.

BlueNorOff has been identified as a subgroup of North Korean state-sponsored threat actors, the Lazarus Group, that focuses on targeting foreign financial institutions. 

Lazarus Group ramping up activity

Lesnewich’s findings add to a concerning trend of new malware families targeting macOS devices, with 21 new malware strains that exploit macOS being discovered in 2023.

Binary digital security padlock and network data on a huge cyberspace

(Image credit: Getty Images)

Just one-third of firms could survive more than a day without IT systemsNSA: Benefits of generative AI in cyber security will outweigh the badBritish Library cyber attack fallout highlights public sector security weaknesses

This latest backdoor indicates TAs are not slowing down in their efforts to compromise MacOS devices, with Lesnewich describing the North Korean affiliated BlueNorOff group’s activities as “fast and furious”. 

James Pickard, head of security testing at IT Governance, told ITPro organizations should ensure they are deploying a defense in depth approach that involves multiple layers of security to provide holistic protection.

“As with many threats like this, it’s recommended that organizations and users implement a defense in depth approach. This involves patching, endpoint protection, user training and awareness, monitoring, and operating with the least privilege model, etc.” Pickard advised.

RELATED RESOURCE

Whitepaper cover with two colleagues at a workstation looking at a computer

(Image credit: Zscaler)

Discover what the best approach to CASB and DLP requires

DOWNLOAD NOW

Integral to keeping devices secure is endpoint protection, Pickard explained, noting that Apple has recommended a number of solutions users can use to defend against attacks.

The tech giant has recommended using tools such as Gatekeeper, Notarisation, and XProtect to prevent, block, and remediate malware on affected machines, he said. 

Users have also been advised to regularly ensure that patches are up-to-date and remain vigilant for any suspicious activity on devices. 

Solomon Klappholz
Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.