Full Report
Kaspersky GReAT experts dive deep into the BlueNoroff APT's GhostCall and GhostHire campaigns. Extensive research detailing multiple malware chains targeting macOS, including a stealer suite, fake Zoom and Microsoft Teams clients and ChatGPT-enhanced images.
Analysis Summary
# Threat Actor: BlueNoroff
## Attribution & Identity
**Known Aliases and Associated Groups:** BlueNoroff APT. (Note: The context provided does not list other explicit aliases for BlueNoroff itself, but it details its specific operations.)
## Activity Summary
The analysis focuses on two recent campaigns conducted by BlueNoroff: **GhostCall** and **GhostHire**. These campaigns exhibit extensive research detailing multiple malware chains specifically targeting **macOS** environments. The operations utilize trojanized applications, including **fake Zoom and Microsoft Teams clients**, and employ **ChatGPT-enhanced images** as deceptive lures.
## Tactics, Techniques & Procedures
- **Infection Vector:** Delivery via fake applications (Zoom, Microsoft Teams).
- **Deceptive Lures:** Usage of ChatGPT-enhanced images.
- **macOS Stealer Suite Execution:** Deployment of an orchestrator script (`upl.sh`) that sequentially executes five embedded modules, removing each after data exfiltration.
- **Data Exfiltration:** Staging data in temporary directories (`/private/var/tmp/`) before removal.
- **Credential Harvesting:** Targeting browser internal data, wallet extensions, version control credentials, cloud configuration files, and SSH keys.
**Specific Modules/Targets:**
1. **`upl.sh` (Orchestrator/Apple Notes Stealer):** Targets Apple Notes data located at `/private/var/tmp/group.com.apple.notes`.
2. **`cpl.sh` (Browser Extension Stealer):** Targets "Local Extension Settings" in Chromium browsers (Chrome, Brave, Arc, Edge, Ecosia) and specific wallet/manager databases (Exodus, Coinbase, Crypto.com, Manta Wallet, 1Password, Sui wallet) in `IndexedDB`.
3. **`ubd.sh` (Browser Credentials & Keychain Stealer):** Targets sensitive browser files (Local State, History, Cookies, Login Data, etc.) across Chromium browsers, and specific macOS Keychain files (`/Library/Keychains/System.keychain` and `~/Library/Keychains/login.keychain-db`).
4. **`secrets.sh` (General Secrets Stealer):** Harvests credentials and configuration profiles related to:
* **Version Control:** GitHub, GitLab, Bitbucket.
* **Package Managers:** npm, Yarn, pip, RubyGems, Cargo, NuGet.
* **Cloud Providers:** AWS, Google Cloud, Azure, OCI, Linode, DigitalOcean.
* **Platforms:** Vercel, Cloudflare, Netlify, Stripe, Firebase, Twilio.
* **DevOps/IaC:** CircleCI, Pulumi, HashiCorp (Vault token).
* **Security/Auth:** SSH, FTP/cURL/Wget (.netrc).
## Targeting
- **Sectors:** General corporate/professional sectors targeted via productivity software lures (Zoom, Teams), suggesting a focus on white-collar workers or organizations relying on these tools. The depth of secrets exfiltrated strongly indicates targeting developers, IT/DevOps staff, and users managing cloud infrastructure or cryptocurrency assets.
- **Geography:** Not explicitly detailed, but macOS targeting often implies users in technologically advanced economies.
- **Victims:** Not specifically named in the provided context, but victims are macOS users possessing extensive digital credentials.
## Tools & Infrastructure
- **Malware Families Used:** Custom multi-module stealer suite orchestrated via shell scripts (`.sh`).
- **Infrastructure:** The article abstract focuses heavily on the malware capabilities and does not list specific C2 domains or IPs.
## Implications
BlueNoroff continues to maintain sophisticated, macOS-specific attack capabilities, demonstrating a high level of resource investment in developing custom malware chains tailored to harvest a comprehensive array of secrets (wallets, cloud keys, DevOps tokens). The use of ChatGPT-enhanced imagery suggests a novel approach to lure creation, possibly aiding in overcoming initial inspection barriers.
## Mitigations
- **Application Sourcing:** Users must only download legitimate software (Zoom, Teams) directly from official vendor sites or trusted application stores, avoiding links provided via email or suspicious third-party sources.
- **Endpoint Security:** Implement enhanced Endpoint Detection and Response (EDR) solutions capable of monitoring script execution and unusual file access patterns in `/private/var/tmp/`.
- **Credential Hygiene:** Enforce the principle of least privilege; regularly rotate cloud/API keys harvested from configuration files; utilize hardware security modules or secret management solutions rather than storing keys directly in user profiles or configuration files (e.g., AWS, Azure CLIs).
- **macOS Security:** Ensure macOS security features, such as Gatekeeper and XProtect, are up-to-date. Review and audit user privileges related to system and login keychains.