As the digital world evolves, so does the threat landscape. RustBucket, an Apple macOS malware, is no exception. Researchers have recently exposed a more advanced version of this malware, armed with enhanced abilities for persistence and evasion from security programs.
An enhanced malware variant targeting macOS
The upgraded version of RustBucket, infamous for targeting macOS systems, now displays unprecedented capabilities for persistence. Elastic Security Labs, responsible for the exposure in a recent report, highlighted its innovative methodology for command-and-control. This approach uses a dynamic network infrastructure, enhancing its stealth potential.
The North Korean threat actor, BlueNoroff, is behind RustBucket. This actor is part of the wider intrusion network known as the Lazarus Group. Under the supervision of North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB), this elite hacking unit is notorious for its sophisticated cyberattacks.
Historical context and surveillance
The first emergence of RustBucket was in April 2023, as reported by Jamf Threat Labs. They identified it as an AppleScript-based backdoor that could extract a second-stage payload from a remote server. Elastic now tracks this threat as REF9135.
The second-stage malware, composed in Swift, facilitates the main malware’s download from the command-and-control (C2) server. This main malware, a Rust-based binary, has features that gather detailed information. It can also fetch and run additional Mach-O binaries or shell scripts on the compromised system.
Notably, this is BlueNoroff’s first known malware specifically targeting macOS users. However, a .NET version of RustBucket with a similar feature set has since appeared.
Infection chain and targets
The infection process starts with a macOS installer file that sets up a backdoored, albeit functional, PDF reader. Interestingly, the malicious activity only kicks in when a weaponized PDF file opens with the rogue PDF reader. The initial intrusion vector includes phishing emails and the use of counterfeit personas on social networking platforms like LinkedIn.
The attacks appear to focus on finance-related institutions in Asia, Europe, and the U.S. This focus suggests that the primary goal of the activity is to generate illegal revenue to dodge sanctions.
Noteworthy features of the updated version
The new version of RustBucket is peculiar due to its unique persistence mechanism. It uses dynamic DNS domain (docsend.linkpc[.]net) for command-and-control while incorporating measures to remain undetected. This RustBucket version adds a plist file to establish its persistence and copies the malware’s binary to a specific path, thereby reinforcing its stealth.
Reader’s viewpoint
What do our valued readers think about this enhanced threat from RustBucket malware? We’d love to hear your thoughts! Please share them with us in the comment section below.
{{user}} {{datetime}}
{{text}}