RustBucket Malware: North Korean Hackers Target macOS Users

Elastic Security Labs specialists have recently spoken about the updated RustBucket malware that attacks macOS users. The malware is now more securely fixed in the systems of its victims and is able to evade detection by security software.

RustBucket: An AppleScript-Based Backdoor

RustBucket was first discovered in the spring of 2023 by Jamf Threat Labs. The researchers described it as an AppleScript-based backdoor capable of extracting the second stage payload from a remote server. This malware is associated with North Korean hackers from the BlueNoroff group (REF9135 in the Elastic Security Labs classification), which is part of a larger threat cluster called Lazarus.

Malware of the Second Stage

The malware of the second stage is compiled in Swift and is designed to be downloaded from the attackers’ control server of the main malware – a binary file based on Rust and Objective-C. This malware has extensive data collection capabilities and is also capable of extracting and running additional Mach-O files or shell scripts on a compromised system.
Interestingly, this was the first BlueNoroff malware specifically designed to attack macOS users, although a .NET version of RustBucket has since appeared with a similar feature set.
Typically, such attacks start with phishing emails, and hackers also use fictitious identities specially created for this purpose on social networks (for example, on LinkedIn). Their campaigns tend to target financial institutions in Asia, Europe and the United States, suggesting that the group’s activities are aimed at generating illegal income and evading sanctions.
In general, the attacks are based on the macOS installation file, which installs a hidden but working PDF reader. An important aspect of these attacks is the fact that the malicious activity only starts after the special PDF file is launched by this PDF reader malware.

Updated RustBucket Malware

The version of RustBucket discovered by experts at Elastic Security Labs is the most notable. It has a clear mechanism for fixing in the system, the use of dynamic DNS (docsend.linkpc[.]net), as well as a number of measures that are aimed at hiding the activity of hackers.
The updated RustBucket malware is a serious threat to macOS users. It is more securely fixed in the systems of its victims and is able to evade detection by security software. It is important to be aware of the potential risks of phishing emails and to be vigilant when downloading files from unknown sources. Additionally, it is recommended to install a reliable security solution to protect against malicious attacks.