Researchers have pulled back the curtain on an updated version of Apple macOS malware. rusty bucket It comes with improved features for establishing persistence and avoiding detection by security software.
“This variant of Rustbucket, a malware family targeting macOS systems, adds a previously unobserved persistence capability,” Elastic Security Labs researchers said in a report released this week. “We leverage a dynamic network infrastructure approach to command and control,” he added. ”
RustBucket is the work of a North Korean threat actor known as BlueNoroff, a large-scale intrusion tracked under the name of the Lazarus Group, an elite hacking force overseen by the country’s main intelligence agency, the Reconnaissance General Bureau (RGB). Part of a set.
The malware was revealed in April 2023 and Jamf Threat Labs described it as an AppleScript-based backdoor that can retrieve the second stage payload from remote servers. Elastic is monitoring activity as REF9135.
The Swift-compiled second-stage malware extracts the main malware from a command and control (C2) server, a Rust-based binary with the ability to gather extensive information and fetch and execute additional Mach-O. Designed for download. Binaries or shell scripts on compromised systems.
This is the first instance of BlueNoroff malware specifically targeting macOS users, but has since come out with a .NET version of RustBucket with a similar feature set.
In its analysis of the RustBucket campaign in late May 2023, French cybersecurity firm Sequoia noted, “This recent Bluenoroff activity demonstrates how the intrusion set utilizes cross-platform languages in its malware development efforts and its “It shows how much more potential it has to expand its capabilities and extend its reach.”
The infection chain consists of a macOS installer file that installs a backdoor yet functional PDF reader. A key aspect of this attack is that the malicious activity is only triggered when the weaponized PDF file is launched using a malicious PDF reader. Initial intrusion vectors include phishing emails and the use of fake personas on social networks such as LinkedIn.
The observed attacks were highly targeted, targeting financial institutions in Asia, Europe, and the United States, suggesting that this activity is aimed at illicit revenue generation to evade sanctions.
The newly identified version is notable for its unusual persistence mechanism and use of dynamic DNS domains (docsend.linkpc).[.]net) for command and control, while incorporating countermeasures focused on staying out of radar.
“For this updated RUSTBUCKET sample, the path /Users/
