The upgraded Rustbucket virus for Apple macOS has been revealed by researchers. It has better capabilities for establishing persistence and evading detection by security tools.
According to a paper released this week by Elastic Security Labs researchers, “this variant of Rustbucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed,” and it also “leverages a dynamic network infrastructure methodology for command-and-control.”
The creator of RustBucket is a North Korean threat actor by the name of BlueNoroff. Lazarus Group, an elite hacking group under the control of the Reconnaissance General Bureau (RGB), the country’s main intelligence organization, is tracking this threat actor as part of a broader incursion set.
The virus was discovered in April 2023, when Jamf Threat Labs defined it as an AppleScript-based backdoor that could fetch a second-stage payload from a distant server. The action is being watched by Elastic under REF9135.
The core malware is a Rust-based binary with functionality to gather significant information as well as fetch and run other Mach-O binaries or shell scripts on the infected machine. The second-stage malware, coded in Swift, is meant to download from the command-and-control (C2) server.
Despite the fact that a.NET version of RustBucket with a similar set of functionality has subsequently been discovered in the market, it is the first instance of BlueNoroff malware expressly targeting macOS users.
“This recent Bluenoroff activity illustrates how intrusion sets turn to cross-platform language in their malware development efforts, further expanding their capabilities highly likely to broaden their victimology,” the French cybersecurity firm Sekoia said in an analysis of the RustBucket campaign in late May 2023.
The first link in the infection chain is a macOS installation file that sets up a backdoored yet useful PDF reader. The fact that the destructive activity is only started when a weaponized PDF file is launched using the rogue PDF reader is an important feature of the assaults. Phishing emails and the use of false personas on social networks like LinkedIn are examples of the first infiltration vector.
The fact that the attacks are highly targeted and concentrated on financial institutions in Asia, Europe, and the United States raises the possibility that the activity is intended to generate illegal income in order to dodge sanctions.
The newly discovered version stands out due to its peculiar persistence technique, usage of the dynamic DNS domain (docsend.linkpc[.]net) for command and control, and incorporation of covert security measures.
The researchers explained that in the case of this updated RUSTBUCKET sample, it creates its own persistence by adding a plist file at the path /Users/user>/Library/LaunchAgents/com.apple.systemupdate.plist and copying the malware’s binary to the path /Users/user>/Library/Metadata/System Update.
