RustBucket: Latest macOS Malware Explored by Security Researchers - BlueNoroff's Threat and Lazarus Group's Intrusion

Security researchers from Elastic Security Labs have discovered a new version of RustBucket, this version is the latest version of the Apple macOS malware.

Security researchers from Elastic Security Labs have discovered a new version of RustBucket, this version is the latest version of the Apple macOS malware. According to the researchers, the RustBucket variant is a family of malware targeting macOS systems and the work of a North Korean threat actor known as BlueNoroff, which is part of a larger collection of intrusions tracked under the name Lazarus Group, an elite hacking unit overseen by the General Bureau of Reconnaissance (RGB), the country's main intelligence agency. The malware has a novel persistence mechanism and is currently undetectable by any major antimalware system and was revealed in April by researchers at Jamf. In a recent intrusion, researchers from Elastic Security Labs observed a cluster called REF9135. REF913 used a new version of Rustbucket to attack a cryptocurrency company in Europe.

According to French cybersecurity firm Sekoia, the recent BlueNoroff activity illustrates how the intruder group's move to cross-platform languages in their malware development efforts continues their ability to expand their victimology. RustBucket comes with a unique persistence method and uses dynamic DNS domains for command and control.

Typically, attackers will try to deliver this malware via phishing emails or through social media channels, such as LinkedIn. To infect their devices, victims first need to download and run a macOS installer file that provides a functional PDF reader, Then, they need to try and open a PDF that the compromised PDF reader uses.

In 2019, Lazarus stole approximately $600 million in cryptocurrencies and fiat currencies from financial institutions and exchanges. Then, in June 2022, Lazarus Group managed to break into Harmony Bridge, a blockchain protocol that allows different blockchains to communicate with each other, thus allowing different tokens to migrate from one blockchain to another. About $100 million vanished from the protocol in the incident. Researchers believe that North Korea used Lazarus to offset some of the damage caused by international sanctions. Other researchers have even stated that the money generated from Lazarus operations is used to fund the development and manufacture of nuclear weapons.

Cybersecurity researcher David Sehyeon Baek analyzed LinkIn and said that Lazarus' long-running macOS attacks suggest that more sophisticated persistent threat (APT) groups may follow suit and focus more on the Apple ecosystem. But some others disagree with the opinion that Lazarus is highly skilled. Whether or not Lazarus is skilled often makes headlines in the media, among them they were found responsible for the attack on Ronin bridge, ($625 million in stolen crypto), the development of the DTrack backdoor, the infiltration of various open-source software used by many enterprises and SMEs, the Dell driver weapon, and the abuse of the log4j flaw to target energy companies in the US.