TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Inside the BlueNoroff Web3 macOS Intrusion Analysis

2025-06-18 · Read original ↗

ATT&CK techniques detected

17 predictions
T1056.001Keylogging
99%
"dominic. the main method just runs a simple task on a loop ( every 3. 37 seconds ). figure 31 : main method from the base app the task simply prints the string current : yyyy - mm - dd hh : mm : ss to / dev / null. this is probably just to keep the binary alive so it can be injec…"
T1566.002Spearphishing Link
98%
"inside the bluenoroff web3 macos intrusion analysis summary on june 11, 2025, huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious zoom extension. the depth of the intrusion became immediately apparent upon installing the huntr…"
T1056.001Keylogging
98%
"accepts 3 potential command line arguments : - - u : use a custom c2 domain - - c : how long to sleep between screen captures - - p : if clipboard should be monitored in the case of this intrusion it was called repeatedly by the remoted binary with the - p argument. the overall w…"
T1056.001Keylogging
98%
"was being interacted with for each keypress. they do this by querying frontmostapplication and grab that app name ’ s bundle identifier. if it is different from the last call, they will log the application name and time to the keylog buffer : after that happens, they will check i…"
T1055.001Dynamic-link Library Injection
97%
"##mpilation of getting a mach port on the sacrificial process from there, they get a list of threads associated with the process using task _ threads. if that is successful, they begin to parse the mach - o header of the decrypted payload. this is a very similar process to how th…"
T1566.002Spearphishing Link
96%
"the employee, and the attacker sent a calendly link to set up meeting time. the calendly link was for a google meet event, but when clicked, the url redirects the end user to a fake zoom domain controlled by the threat actor. several weeks later, when the employee joined what end…"
T1105Ingress Tool Transfer
92%
"lines, it downloads a payload from a malicious website, https [ : / / ] support [. ] us05web - zoom [. ] biz, and after downloading completes, runs a script. while we weren ’ t able to recover this second stage from the intrusion, we were able to find a version on virustotal that…"
T1027Obfuscated Files or Information
90%
"covered in the next section ). this command was run 6 times from when the customer was onboarded to when the host was isolated. configuration the binary stores associated information such as its configuration, payload versions, and startup commands in a directory located at / lib…"
T1055.001Dynamic-link Library Injection
83%
"are 0xbebafeca it ’ s a fat executable ( meaning both an arm and x86 _ 64 binary glued together ), so it has to iterate over the fat header entries until it finds the x86 _ 64 macho header. otherwise, if the magic bytes are 0xfeedfacf it is just an x86 _ 64 macho and that isn ’ t…"
T1055.001Dynamic-link Library Injection
77%
"##ed content. this occurs for both base64 blobs which are later used in the process injection portion. process injection by far the most interesting part about this malware is how it deploys the malicious payload. anyone who looks at windows is extremely familiar with the techniq…"
T1543.001Launch Agent
73%
". the binary is adhoc signed with the identifier root _ startup _ loader _ arm64. telegram 2 was used as the persistence mechanism and starting hourly, with the following plist : configuration upon execution, this binary will create a config file in / private / var / tmp / cfg. u…"
T1056.001Keylogging
67%
"the display using the cgdisplaycreateimage api, and then saves that content to a file located at / private / tmp / google _ cache. db. if that is successful, it will convert the image to base64 and append the letter “ i ” so that the c2 can delineate what data is an image. finall…"
T1055.001Dynamic-link Library Injection
54%
"in the following figure : figure 29 : decompilation of restoring the sleeping process to execute the injected payload payload cleanup after the payloads were deployed, the actor then ran the binary using the - - d flag which calls the zerowrite function. this iterates over all fi…"
T1555.003Credentials from Web Browsers
51%
"##b with an iv of 0. the key is static and is embedded in the binary f6102a492570dee84bbc9ebd8bd7bfab4e442eae3b416b1a. several initialization functions are used to create the previously mentioned files : - main. initializecryptocache - main. initializeuserinfo - main. initializev…"
T1543.001Launch Agent
41%
". - base app : a benign swift application that is injected into. - payload : a different implant written in nim, with command execution capability. - xscreen ( keyboardd ) : a keylogger written in objective - c that has capability to monitor keystrokes, the clipboard, and the scr…"
T1027Obfuscated Files or Information
41%
"with the parameters. / cloudkit and a password of gift123 $ % ^. key derivation function to decrypt both the payload and the base app, the supplied password is used with password - based key derivation function ( pbkdf ) to derive aes keys. figure 19 : decompilation of password s…"
T1071.001Web Protocols
34%
"##dressinfosfromrainbow - crypto - bot / wallet. extractaddressinfosfromronin - crypto - bot / wallet. extractaddressinfosfromsafepal - crypto - bot / wallet. extractaddressinfosfromsender - crypto - bot / wallet. extractaddressinfosfromstation - crypto - bot / wallet. extractadd…"

Summary

Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.