A financially motivated North Korean threat actor is suspected behind a new Apple macOS malware. rust bucket.
“[RustBucket] It communicates with command-and-control (C2) servers to download and execute various payloads,” said Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley in a technical report published last week. .
The Apple device management company believes it is due to a threat actor known as BlueNoroff. This is a subgroup within the notorious Lazarus cluster that is also tracked under the names APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.
The connection is based on previous campaigns and tactics and infrastructure that targeted Japanese financial institutions using fake domains impersonating venture capital firms, exposed by Russian cybersecurity firm Kaspersky in late December 2022. This is due to duplication.
Unlike other constituent entities of the Lazarus Group, BlueNoroff is known for sophisticated cyber-enabled heists targeting SWIFT systems and cryptocurrency exchanges as part of an intrusion set tracked as CryptoCore.
Earlier this year, the U.S. Federal Bureau of Investigation (FBI) linked this threat actor to the June 2022 theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge.
BlueNoroff’s offensive repertoire is also said to have seen significant changes in the past few months. The group uses work-themed lures to trick email recipients into entering their credentials on a fake landing page.
It should be noted that the macOS malware identified by Jamf activates the infection by masquerading as an “Internal PDF Viewer” application, but the successful attack forced victims to manually override gatekeeper protections.
In reality, this is an AppleScript file designed to retrieve the second stage payload from a remote server, also bearing the same name as its predecessor. Both malicious apps are signed with ad-hoc signatures.
The second stage payload, written in Objective-C, is a basic application that provides the ability to view PDF files, and only when the booby-trapped PDF file is opened through the app, is the next part of the attack chain. start the phase of
One such nine-page PDF document identified by Jamf claims to provide an “investment strategy” and, when launched, accesses a command and control (C2) server to deliver a third stage Download and run the Trojan Mach-O. An executable written in Rust with the ability to run system reconnaissance commands.
“The PDF viewer technology used by the attackers is sophisticated,” the researchers explained. “At this point, to perform the analysis, we not only need the stage 2 malware, but we also need the correct PDF file to act as a key to execute the malicious code within the application.”
It is not clear at this time how the initial access was obtained, or whether the attack was successful. It is a sign that you are adapting
The findings also come from a busy period of coordinated attacks by the Lazarus Group targeting organizations across countries and industries to carry out strategic intelligence gathering and cryptocurrency theft.
The Lazarus Group (also known as Hidden Cobra and Diamond Sleet) is a mixed state-sponsored and criminal hacking group within North Korea’s main foreign intelligence agency, the Reconnaissance General Bureau (RGB). Rather, it’s a catch-all term.
Recent activity by threat actors provides new evidence of growing interest from threat actors in exploiting software supply chain trust relationships as entry points into corporate networks.
Last week, the hostile group weaponized a Trojanized installer version of a legitimate app known as X_TRADER, compromising enterprise communications software maker 3CX and linking it to a cascading supply chain attack that compromised its Windows and macOS apps. was doing.
Around the same time, ESET detailed the Lazarus Group’s repeated social engineering campaign called Operation Dream Job using a Linux malware called SimplexTea.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
“It’s also interesting that Lazarus can create and use native malware for all major desktop operating systems (Windows, macOS, Linux),” ESET malware researcher Marc-Etienne M.Léveillé said last week. pointed out.
Lazarus is not the only known RGB-related state-run hacking group known to operate on behalf of sanctioned countries. Another similarly frequent threat actor is Kimsuky (aka APT43 or Emerald Sleet), a subgroup of which is monitored by Google’s Threat Analysis Group (TAG) as his ARCHIPELAGO.
“The attackers primarily target organizations in the United States and South Korea, including government, military, manufacturing, academic, and think-tank organizations with expertise in defense and security, particularly nuclear security and non-proliferation policy. This includes individuals who work at Google-owned Mandiant last year.
Other lesser-known targets of Kimsuky include governments and educational institutions in India and Japan. These series of attacks are being tracked by Taiwanese cybersecurity firm TeamT5 under the name KimDragon.
The group has a history of deploying numerous cyber weapons to exfiltrate sensitive information through a variety of tactics, including spear phishing, fraudulent browser extensions, and remote access Trojans.
The latest research published by VirusTotal highlights Kimsuky’s heavy reliance on malicious Microsoft Word documents to deliver its payload. The majority of files were submitted to our malware scanning platform from South Korea, the United States, Italy, Israel, and the United Kingdom.
“The group uses a variety of techniques and tools, including spear phishing and credential harvesting, to carry out espionage, sabotage, and theft activities,” said the Google Chronicle subsidiary.
