North Korea-linked BlueNoroff hackers have been observed using a new macOS malware family in recent attacks, cybersecurity firm Jamf reveals.
Dubbed RustBucket and able to fetch additional payloads from its command-and-control (C&C) server, the malware has been attributed to the advanced persistent threat (APT) actor BlueNoroff, which is believed to be a subgroup of the infamous Lazarus hacking group.
As part of the observed attacks, BlueNoroff used stage-one malware contained within the unsigned application ‘Internal PDF Viewer.app’ and designed to fetch and execute the stage-two payload on the system.
According to Jamf’s security researchers, the Internal PDF Viewer application does not appear to be executed unless the user manually overrides Gatekeeper, which suggests that the attackers rely on social engineering to trick victims into initializing the infection chain.
The second-stage payload is a signed application which masquerades as a legitimate Apple bundle identifier. It also displays a decoy PDF to the victim – containing information taken from the website of a legitimate venture capital firm.
The malware begins communication with the C&C server to fetch the stage-three payload, which is a signed trojan written in the Rust language that can run on both ARM and x86 architectures.
The malware can gather system information, including a list of running processes, current time, and whether it is running in a virtual machine, and allows the attacker to perform various actions on the infected machines, Jamf says.
Based on the domain used by the stage-one dropper, the use of fake domains impersonating venture capital firms and social engineering schemes similar to a previous BlueNoroff-linked campaign, Jamf believes that the North Korean hackers are behind the RustBucket macOS malware.
“The malware used here shows that as macOS grows in market share, attackers realize that a number of victims will be immune if their tooling is not updated to include the Apple ecosystem. Lazarus group, which has strong ties to BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more APT groups start doing the same,” Jamf concludes.
Related: North Korea’s Lazarus Targets Energy Firms With Three RATs
Related: North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist
Related: North Korea APT Lazarus Targeting Chemical Sector