A North Korean-linked APT (advanced persistent threat) group recently found and exploited an email vulnerability. Not exactly great news, but even worse, North Korea appears to be actively focused on finding ways to target the macOS. How it all plays out remains to be seen, but in the meantime, a look at this new vulnerability is a smart idea.

Documented in a joint advisory from the FBI, Department of State, and the National Security Agency (NSA), it warns of an issue with weak DMARC Security policies that allow a backdoor malware. The advisory does not point to a specific threat to MacOS, but there are known instances of one called SpectralBlur. Though the advisory warns all operating systems are at risk. Discovering SpectralBlur is further evidence that North Korean threat actors are laser-focused on exploiting the macOS, as well as other operating systems, by creating malware for targeted attacks.

SpectralBlur isn’t considered sophisticated malware, but it has its purpose. Attackers use it for common backdoor abilities like uploading and downloading files, deleting files, updating its configuration, and other directives from the command and control (C2) server. It also has ways of evading detection.

Last year, another macOS malware was also suspected linked to a North Korean-linked APT.

Advisory Notes Some Red Flags Flying

The following activities were noted as possible indications or behaviors of malicious cyber actors. They will sound familiar:

“Innocuous initial communication with no malicious links/attachments, followed by communications containing malicious links/documents, potentially from a different, seemingly legitimate, email address;  Email content that may include real text of messages recovered from previous victim engagement with other legitimate contacts; Emails in English that have awkward sentence structure and/or incorrect grammar; Emails or communications targeting victims with either direct or indirect knowledge of policy information, including U.S. and ROK government employees/officials working on North Korea, Asia, China, and/or Southeast Asia matters; U.S. and ROK government employees with high clearance levels, and members of the military; Email accounts that are spoofed with subtle incorrect misspellings of legitimate names and email addresses listed in a university directory or an official website; Malicious documents that require the user to click “Enable Macros” to view the document; Follow-up emails with a sense of urgency that within 2-3 days of initial contact something bad will happen if the target does not respond to the initial spear phishing email; Emails purporting to be from official sources but sent using unofficial email services, identifiable through the email header information being a slightly incorrect version of an organization’s domain.”

Avoiding APTs

There are ways to keep North Korean and other APTs at bay, starting with keeping all systems and software updated at all times. This includes applying patches as soon as available since they often fix security flaws. Also, make sure systems have anti-virus software installed to catch malware before it invades a system.

With North Korea in clear pursuit of macOS vulnerabilities, it’s reasonable to believe they’re not the only country with macOS in their crosshairs. For now, staying informed and with systems protected and up to date is smart protection from any nation-state attacker.

Advice to Organizations for Securing Email

This group is identified by authorities as APT43, also known as Kimsuky. The joint advisory recommends that organizations implement mitigations to improve the DMARC security policies.

Additional recommendations can be found in the advisory: JCSA-20240502-001.