A financially motivated North Korean threat actor is suspected of being behind a new type of Apple macOS malware RustBucket.
“(RustBucket) communicates with a command and control server (C2) to download and run various payloads,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week.
Device management firm Apple linked it to a threat actor known as BlueNoroff, a subgroup within the infamous Lazarus cluster that is also tracked under the names APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.
The connection stems from tactical and infrastructural overlap with a previous campaign exposed by Russian cybersecurity firm Kaspersky in late December 2022 that was likely aimed at Japanese financial entities using fake domains posing as venture capital firms.
BlueNoroff, unlike the other constituent entities of the Lazarus Group, is known for complicated cyber-supported robbery targeting SWIFT systems as well as cryptocurrency exchanges as part of an intrusion pool tracked as CryptoCore.
Earlier this year, the US Federal Bureau of Investigation (FBI) implicated a threat actor over the theft of $100 million worth of cryptocurrency assets from the Harmony Horizon Bridge in June 2022.
BlueNoroff’s attack repertoire is also said to have seen major changes over the last few months, with the group using job-themed feeds to trick email recipients into entering their credentials on fake landing pages.
The macOS malware identified by Jamf masquerades as an “Internal PDF Viewer” application to activate the infection, though it’s worth noting that successfully bank attacks on victims manually overrides Gatekeeper’s protection.
In reality, it’s an AppleScript file engineered to fetch a second-stage payload from a remote server, which also shares the same name as its predecessor. Both malicious apps are signed with an ad-hoc signature.
The second stage payload, written in Objective-C, is a basic application that offers the ability to view PDF files and only initiates the next phase of the attack chain when a booby-trapped PDF file is opened through the application.
One of them nine-page PDF document identified by Jamf is intended to offer an “investment strategy,” which when launched, reaches a command-and-control (C2) server to download and run a third-stage trojan, a Mach-O executable written in Rust that includes the ability to run recon commands system.
“The PDF viewer technique used by this attacker is a clever one,” explain the researchers. “At this point, to perform the analysis, we not only need stage two malware, but we also need a valid PDF file that operates as a key to execute malicious code within the application.”
It is currently unclear how early access was obtained and whether the attack was successful, but the development is a sign that threat actors are adapting their toolset to accommodate cross-platform malware using programming languages such as Go and Rust.
The findings also emerge from a busy period of attacks orchestrated by the Lazarus Group aimed at organizations across countries and industry verticals to gather strategic intelligence and commit cryptocurrency theft.
The Lazarus Group (aka Hidden Cobra and Diamond Sleet) is less of a distinct outfit and more of an umbrella term for the mix of state-sponsored and criminal hacker groups that sit within the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence apparatus.
Recent activity by threat actors has offered new evidence of the increasing interest of threat actors in exploiting trust relationships in software supply chains as entry points to enterprise networks.
Last week, collective enemies were linked to a multilevel supply chain attack that weaponized a trojan installer version of a legitimate application known as X_TRADER to penetrate enterprise communications software maker 3CX and poison its Windows and macOS applications.
Around the same time, ESET detailed the Lazarus Group’s use of Linux malware dubbed SimplexTea against the backdrop of a repeated social engineering campaign referred to as Operation Dream Job.
“It is also interesting to note that Lazarus can produce and deploy native malware for all major desktop operating systems: Windows, macOS, and Linux,” said ESET malware researcher Marc-Etienne M.Léveillé last week.
Lazarus is far from the only RGB-affiliated state-sponsored hacker group known to carry out operations on behalf of sanctioned countries. Another equally prolific threat actor is Kimsuky (aka APT43 or Emerald Sleet), a subgroup monitored by the Google Threat Analysis Group (TAG) as ARCHIPELAGO.
“This actor primarily targets organizations in the US and South Korea, including individuals working in government, military, manufacturing, academia, and think tanks with subject matter expertise in defense and security, particularly nuclear security and nonproliferation policy,” Google-owned Mandiant noted last year.
Kimsuky’s other lesser-known targets include India and Japan as government and educational institutions, a series of attacks that were tracked by Taiwanese cybersecurity firm TeamT5 under the name KimDragon.
The group has a history of deploying cyber weapon rafts to extract sensitive information through tactics such as spear-phishing, deceptive browser extensions and remote access trojans.
Recent findings released by VirusTotal highlighting Kimsuky’s heavy reliance on malicious Microsoft Word documents to deliver its payload. Most files have been submitted to malware scanning platforms from South Korea, the US, Italy and Israel, as well as the UK
“The group uses a variety of techniques and tools to conduct espionage, sabotage and theft operations, including spear phishing and credential harvesting,” the Google Chronicle subsidiary said.