July 1, 2023Ravi LakshmananEndpoint security/malware

Researchers have pulled back the curtain on an updated version of Apple macOS malware. last bucket It comes with improved features for establishing persistence and avoiding detection by security software.

“This variant of Rustbucket, a malware family targeting macOS systems, adds a previously unobserved persistence capability,” said Elastic Security Labs researchers. Said A report released this week added that it “levers a dynamic network infrastructure approach to command and control.”

RustBucket is the work of a North Korean threat actor known as BlueNoroff, a large-scale intrusion tracked under the name of the Lazarus Group, an elite hacking force overseen by the country’s main intelligence agency, the Reconnaissance General Bureau (RGB). Part of a set.

The malware was revealed in April 2023 and Jamf Threat Labs described it as an AppleScript-based backdoor that can retrieve the second stage payload from remote servers. Elastic is monitoring activity as REF9135.

The Swift-compiled second-stage malware drops the main malware from a command and control (C2) server, a Rust-based binary with the ability to gather extensive information and fetch and execute additional Mach-O. Designed for download. Binaries or shell scripts on compromised systems.

This is the first instance of BlueNoroff malware specifically targeting macOS users, but has since come out with a .NET version of RustBucket with a similar feature set.

“This recent Bluenoroff activity demonstrates how the intrusion set is likely to utilize cross-platform languages ​​in its malware development efforts to further extend its capabilities and extend its scope.” said French cybersecurity firm Sekoia. Said In our analysis of the RustBucket campaign in late May 2023.

The infection chain consists of a macOS installer file that installs a backdoor yet functional PDF reader. A key aspect of this attack is that the malicious activity is only triggered when the weaponized PDF file is launched using a malicious PDF reader. Initial intrusion vectors include phishing emails and the use of fake personas on social networks such as LinkedIn.

cyber security

The observed attacks were highly targeted, targeting financial institutions in Asia, Europe, and the United States, suggesting that this activity is aimed at illicit revenue generation to evade sanctions.

what makes it so newly identified version Notable is its unusual persistence mechanism and use of dynamic DNS domains (docsend.linkpc).[.]net) for command and control, while incorporating countermeasures focused on staying out of radar.

“For this updated RUSTBUCKET sample, the path /Users/Establish your own persistence by adding a plist file in /Library/LaunchAgents/com.apple.systemupdate.plist to path the malware binary to /Users/Follow /Library/Metadata/System Update,” the researchers said.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog