Researchers have pulled back the curtain on the latest version of a malware called Apple macOS Rust bucket which comes with enhanced capabilities to build persistence and evade detection by security software.
“This Rustbucket variant, a malware family that targets macOS systems, adds persistence capabilities not previously observed,” Elastic Security Labs researcher said in a report published this week, adding it “utilizes dynamic network infrastructure methodologies for command-and-control.”
RustBucket is the work of a North Korean threat actor known as BlueNoroff, who is part of a larger chain of intrusions tracked under the name Lazarus Group, an elite hacking unit overseen by the Reconnaissance General Bureau (RGB), the country’s main intelligence agency.
The malware was exposed in April 2023, when Jamf Threat Labs described it as an AppleScript-based backdoor capable of fetching second-stage payloads from remote servers. Elastic monitors activity as REF9135.
The second stage of malware, compiled in Swift, is designed to download from command-and-control (C2) servers the main malware, Rust-based binaries with features to gather extensive information and fetch and run additional Mach-O binaries or shell scripts on compromised systems.
This is the first example of BlueNoroff malware specifically targeting macOS users, though a .NET version of RustBucket has emerged in the wild with a similar set of features.
“Bluenoroff’s recent activity illustrates how intrusion sets are turning to cross-platform languages in their malware development efforts, further expanding their capabilities very likely to expand their victimology,” French cybersecurity firm Sekoia said in RustBucket campaign analysis in late May 2023.
The chain of infection consists of a macOS installer file that installs a backdoor, but functional, PDF reader. A significant aspect of the attack is that the malicious activity is triggered only when an armed PDF file is launched using a rogue PDF reader. Early intrusion vectors included phishing emails, as well as using fake personas on social networks such as LinkedIn.
The observed attacks were highly targeted and focused on financial related institutions in Asia, Europe and the US, indicating that the activity was directed towards illegal revenue generation to evade sanctions.
What makes newly identified version what stands out is its unusual persistence mechanism and use of a dynamic DNS domain (docsend.linkpc(.)net) for command-and-control, in addition to incorporating focused measures to stay under the radar.
“In the case of this updated RUSTBUCKET sample, it establishes its own persistence by adding a plist file in the path /Users/