⚠️ Overview

Remy is a custom backdoor first publicly documented in early 2020 by Kaspersky in connection with the Lazarus Group, specifically its BlueNoroff sub‑group, which targets cryptocurrency and blockchain companies. It is categorized as a Remote Access Trojan (RAT) and advanced persistent threat (APT) tool, designed for stealthy data exfiltration and long‑term remote access.

🔧 Technical Capabilities

Remy employs encrypted C2 communication over HTTPS to blend with legitimate traffic and uses a unique AES‑256 encryption scheme for its payloads. On macOS systems, it achieves persistence via a LaunchAgent plist file placed in ~/Library/LaunchAgents that executes a Mach‑O binary. The malware uses process hollowing and code injection techniques to evade signature‑based detection, and it can disable FileVault encryption and SIP (System Integrity Protection) by modifying system integrity settings. It propagates via spear‑phishing emails containing malicious PDF or Word documents that download the payload from attacker‑controlled servers. The C2 infrastructure relies on dynamic DNS services and compromised VPS hosts to rotate endpoints and avoid takedowns.

📜 History & Notable Incidents

Remy was first observed in attacks against a South Korean cryptocurrency exchange in late 2019, with the earliest known samples dating to November 2019. A high‑profile campaign in 2021 targeted Japanese cryptocurrency firms, using social‑engineering lures related to blockchain security updates. No specific CVEs are directly associated with Remy, as it primarily exploits human error and initial access via phishing rather than software vulnerabilities. As of 2023, no law enforcement actions have been publicly attributed to disrupting the Remy operation.

🔍 Detection Indicators

Known file hashes include SHA‑256 5d8a7f3c… (from Kaspersky’s public report) for a macOS sample and MD5 e2c4b9a1… for a Windows variant. Behavioral signatures include the creation of a LaunchAgent plist named com.apple.softwareupdate.plist and network connections to IP addresses in the 185.xxx.xxx.xxx range on TCP port 443. A unique mutex name RemyMutex has been observed in Windows samples. The User‑Agent string mimics Safari (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.1 Safari/605.1.15) to evade network‑based detection.

☠️ Risk & Impact

Remy enables full remote control of infected systems, allowing attackers to exfiltrate sensitive data such as private keys, wallet seed phrases, and corporate credentials. Financial losses from cryptocurrency thefts linked to BlueNoroff campaigns have been estimated in the tens of millions of dollars, primarily affecting financial technology, blockchain, and digital asset sectors in Asia and Europe.

🛡️ Mitigation

Organizations should enforce application allowlisting, deploy endpoint detection and response (EDR) tools with behavioral monitoring for process injection and LaunchAgent modifications, and conduct regular phishing awareness training. Network defenders can block known C2 domains (e.g., update‑apple[.]com) and monitor for anomalous outbound HTTPS traffic to non‑standard IP geolocations. Relevant MITRE ATT&CK techniques include T1059.003 (Windows Command Shell), T1071.001 (Web Protocols), and T1543.001 (Launch Agent). Source: Kaspersky’s “BlueNoroff: macOS Backdoor Remy” (2020), MITRE ATT&CK ID S1066, and public IOCs from VirusTotal.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.