Go to listing page

BlueNoroff APT Group Targets macOS Users With New RustBucket Malware

BlueNoroff APT Group Targets macOS Users With New RustBucket Malware
A new macOS malware family has been observed in recent attacks by the North Korea-linked BlueNoroff threat group, believed to be a subgroup of the Lazarus hacking group. This multi-stage malware is dubbed RustBucket and fetches additional payloads from its C2 server. 

BlueNoroff’s attack campaign

According to Jamf Threat Labs, the BlueNoroff stage-one malware is included within the unsigned application Internal PDF Viewer. Its primary purpose is to obtain and run the stage-two payload.
  • Internal PDF Viewer does not execute until a user manually overrides Gatekeeper, implying that the attackers need to use social engineering to fool victims into starting the infection chain.
  • The second-stage payload masquerades as an Apple bundle identifier. It shows a decoy PDF to the victim, including information taken from the website of a genuine venture capital firm.
  • The malware communicates with the C2 server to obtain the stage-three payload, a signed trojan written in the Rust language that runs on both x86 and ARM architectures.
  • Post-infection, the malware gathers system details, such as a list of running processes, and current time, and allows the attacker to perform different actions on the infected machines.

Attribution

Experts have highlighted several clues that link this campaign with earlier campaigns of BlueNoroff, a sub-group of Lazarus APT.
  • The stage-one payload uses a domain (cloud[.]dnx[.]capital) used in previous activity by BlueNoroff. 
  • Further, social engineering lures used for the PDF document are similar to previous fake domains of BlueNoroff.

Conclusion

BlueNoroff has enhanced its arsenal to efficiently target macOS devices. Moreover, the multi-stage RustBucket is highly sophisticated in nature, and adds challenges to security agencies to detect and thwart the threat. macOS users are suggested to adopt a proactive stance towards security, including blocking malicious domains and using a genuine anti-malware solution.
Cyware Publisher

Publisher

Cyware