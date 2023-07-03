Some researchers have unveiled a version updated of a macOS malware called RustBucketdeveloped by Apple, which has improved ability to establish persistence and avoid detection by security software.

“This variant of RustBucket, a family of malware targeting macOS systems, adds previously unseen persistence capabilities“, they have stated Elastic Security Labs researchers in a report released this week, adding that the malware exploits “a dynamic network infrastructure methodology for the command and control“.

RustBucket is the work of a North Korean hacker (or group) known as BlueNoroff, which is part of a larger set of intrusions identified as the Lazarus Group, an elite hacking unit overseen by the Reconnaissance General Bureau (RGB), the country’s main intelligence agency.

The malware appeared in April 2023, when Jamf Threat Labs got it described such as an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. Elastic is monitoring the activity as REF9135.

Second-stage malware, compiled in Swift, is designed to download from the command and control server (C2) the main malware, a Rust-based binary with capabilities to gather insights and retrieve and execute other Mach-O binaries or shell scripts on the compromised system.

This is the first case of BlueNoroff malware targeting macOS users specifically, although a .NET version of RustBucket with a similar feature set has since emerged.

“This recent activity by Bluenoroff illustrates how intrusion sets are turning to cross-platform languages ​​in the development of their malware, further expanding their capabilities and most likely expanding their victimology as well“, has stated French cybersecurity firm Sekoia in an analysis of the RustBucket campaign at the end of May 2023.

The infection chain consists of a macOS setup file that installs a backdoored but functional PDF reader. A significant aspect of the attacks is that malicious activity is only triggered when a manipulated PDF file is launched using the fraudulent PDF reader. The initial intrusion vector includes phishing emails, as well as the use of false identities on social networks such as LinkedIn.

Where does RustBucket predominantly hit?

The observed attacks are highly targeted and focused on financial institutions in Asia, Europe and the United States, suggesting that the activity is aimed at generating illicit revenues to evade sanctions.

What makes this new version identified particular is its unusual persistence mechanism and the use of a dynamic DNS domain (docsend.linkpc[.]net) for command and control, along with taking steps to stay under the radar.

“In the case of this updated RustBucket sample, it establishes its persistence by adding a plist file to the path /Users/ /Library/LaunchAgents/com.apple.systemupdate.plist, and copies the malware binary to the following path /Users / /Library/Metadata/System Update “, stated the researchers.

In conclusion

In conclusion, the RustBucket malware update reveals an evolution in the capabilities and tactics used by cyberthreat groups, in particular by BlueNoroff which appears to be “related” to the Lazarus Group.

Its ability to establish persistence and evade detection highlights a growing sophistication in macOS malware design. Financial institutions are the main targets of these highly targeted attacks, indicating an illicit revenue generation target to evade sanctions.

This highlights the importance of cyber security and user awareness to protect one’s systems from such increasingly advanced threats.

It must also be said that, as in the Windows counterpart, a good anti-malware can be useful, Malwarebytes for example there is also for macOS.