A North Korean threat actor, believed to be financially motivated, is suspected of creating a new Apple macOS malware strain called RustBucket. The malware strain has raised concerns in the cybersecurity community.

The RustBucket malware

Researchers Ferdous Saljooki and Jaron Bradley from Jamf Threat Labs published a technical report last week, describing RustBucket as a malware that “communicates with command and control (C2) servers to download and execute various payloads.” The Apple device management company linked the malware to a threat actor known as BlueNoroff, a subgroup within the notorious Lazarus cluster. This cluster is also tracked under various monikers, such as APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.

The connection between RustBucket and BlueNoroff is based on tactical and infrastructure overlaps with a previous campaign exposed by Russian cybersecurity company Kaspersky in late December 2022. The campaign likely targeted Japanese financial entities using fake domains that impersonated venture capital firms.

BlueNoroff’s notorious reputation

BlueNoroff, unlike other Lazarus Group entities, is well-known for its sophisticated cyber-enabled heists targeting the SWIFT system and cryptocurrency exchanges. This is part of an intrusion set tracked as CryptoCore. In June 2022, the U.S. Federal Bureau of Investigation (FBI) implicated the threat actor for stealing $100 million in cryptocurrency assets from Harmony Horizon Bridge.

The macOS malware identified by Jamf disguises itself as an “Internal PDF Viewer” application to initiate the infection. However, the success of the attack relies on the victim manually overriding Gatekeeper protections. In reality, it is an AppleScript file designed to retrieve a second-stage payload from a remote server, which also carries the same name as its predecessor. Both malicious apps are signed with an ad-hoc signature.

Adapting toolsets for cross-platform

Malware The development is a sign that threat actors are adapting their toolsets to accommodate cross-platform malware by using programming languages like Go and Rust. The findings also follow a busy period of attacks orchestrated by the Lazarus Group, aimed at organizations across countries and industry verticals for collecting strategic intelligence and performing cryptocurrency theft.

Lazarus Group, also known as Hidden Cobra and Diamond Sleet, is more of an umbrella term for a mixture of state-sponsored and criminal hacking groups within North Korea’s primary foreign intelligence apparatus, the Reconnaissance General Bureau (RGB). Recent activity by the threat actor reveals a growing interest in exploiting trust relationships in the software supply chain as entry points to corporate networks.