Researchers have revealed the updated version of the malicious program Rustbucket, which is targeting MacOS users. This new version contains enhanced features that allow it to penetrate systems more effectively and bypass antivirus solutions.
In a recently published report, experts from Elastic Security Labs explain that this version of Rustbucket, which is part of a malware campaign targeting MacOS systems, incorporates new persistence functions that were not present in previous versions. Furthermore, it utilizes a flexible strategy for managing and coordinating its actions within a network infrastructure.
Rustbucket is a tool developed by the North Korean actor Kibagroisa, also known as Bluenoroff. It is just one of the cyber operations monitored by the elite hacker group Lazarus Group. The Lazarus Group operates under the control of the main intelligence department (RGB) of North Korea, which is the country’s primary intelligence agency.
The malicious program was initially discovered in April 2023 by Jamf Threat Labs, who described it as an AppleScript-based backdoor capable of receiving secondary payloads from a remote server. This activity is being monitored by Elastic with the reference number Ref9135.
The secondary malware, compiled on SWIFT, is designed to download the main malicious program, a binary file based on the Rust programming language. This program has the ability to collect extensive information from the server and also download and execute additional binary files or shells on compromised systems.
This is the first time that the Bluenoroff malicious program has specifically targeted MacOS users, although a version of Rustbucket with a similar set of functions on the .NET platform has been detected in the wild.
A recent analysis conducted by the French cybersecurity company Sekoia, focused on Rustbucket, highlights the cross-platform approach used by the Bluenoroff hacker group. By targeting multiple platforms, they aim to develop malware that can infect a larger number of potential victims and expand their capabilities.
The infection chain begins with a MacOS installer file that installs a fake but functional PDF reader. Notably, the malicious activity is only triggered when the infected PDF file is launched using the fake PDF reader. The initial attack vector involves phishing emails and the use of fake accounts on social networks.