Diving in details
- Jamf Threat Labs first came across the malware while investigating a Mach-O universal binary executable that was communicating with a malicious domain swissborg[.]blog.
- The malicious domain was hosted on a specific IP address, which was previously used by BlueNoroff threat actors to host various other domains.
- As the name suggests, the malware is written in Objective-C and operates as a very simple remote shell that executes shell commands on compromised systems. These commands are sent from the C2 server operated by attackers.
- The exact initial access vector for the attack is not known, however, it’s suspected that the malware is delivered as a post-exploitation payload via social engineering.
While the researchers are yet to determine the victims of the ObjCShellz attacks, the choice of domain used suggests that threat actors targeted an entity or individual with an interest in the cryptocurrency exchange sector.
ObjCShellz is the latest malware that has emerged in the landscape to target macOS systems. Jamf Threat Labs continues to track the malware and its association with the RustBucket campaign.