Researchers have pulled back the curtain on an updated version of Apple macOS malware. last bucket It comes with improved features for establishing persistence and avoiding detection by security software.
“This variant of Rustbucket, a malware family targeting macOS systems, adds a previously unobserved persistence capability,” said Elastic Security Labs researchers. Said A report released this week added that it “levers a dynamic network infrastructure approach to command and control.”
RustBucket is the work of a North Korean threat actor known as BlueNoroff, a large-scale intrusion tracked under the name of the Lazarus Group, an elite hacking force overseen by the country’s main intelligence agency, the Reconnaissance General Bureau (RGB). Part of a set.
The malware was revealed in April 2023 and Jamf Threat Labs described it as an AppleScript-based backdoor that can retrieve the second stage payload from remote servers. Elastic is monitoring activity as REF9135.
The Swift-compiled second-stage malware drops the main malware from a command and control (C2) server, a Rust-based binary with the ability to gather extensive information and fetch and execute additional Mach-O. Designed for download. Binaries or shell scripts on compromised systems.
This is the first instance of BlueNoroff malware specifically targeting macOS users, but has since come out with a .NET version of RustBucket with a similar feature set.
“This recent Bluenoroff activity demonstrates how the intrusion set is likely to utilize cross-platform languages in its malware development efforts to further extend its capabilities and extend its scope.” said French cybersecurity firm Sekoia. Said In our analysis of the RustBucket campaign in late May 2023.
The infection chain consists of a macOS installer file that installs a backdoor yet functional PDF reader. A key aspect of this attack is that the malicious activity is only triggered when the weaponized PDF file is launched using a malicious PDF reader. Initial intrusion vectors include phishing emails and the use of fake personas on social networks such as LinkedIn.
The observed attacks were highly targeted, targeting financial institutions in Asia, Europe, and the United States, suggesting that this activity is aimed at illicit revenue generation to evade sanctions.
what makes it so newly identified version Notable is its unusual persistence mechanism and use of dynamic DNS domains (docsend.linkpc).[.]net) for command and control, while incorporating countermeasures focused on staying out of radar.
“For this updated RUSTBUCKET sample, the path /Users/