North Korea-linked BlueNoroff hackers, believed to be a subgroup of the Lazarus cybercrime cluster, have been observed targeting Apple Mac devices with a new macOS malware family called “RustBucket.”
“[RustBucket] communicates with command and control (C2) servers to download and execute various payloads,” Jamf Threat Labs researchers wrote in a technical report.
In the observed attacks the threat actor used stage-one malware in the form of an AppleScript file hidden within the unsigned application ‘Internal PDF Viewer.app’ and designed to fetch and execute the stage-two payload on the system. At the time of writing, both the stage-one and stage-two components of this malware were undetected on VirusTotal.
“By breaking up the malware into several components or stages, the malware author makes analysis more difficult, especially if the C2 goes offline. This is a clever but common technique used by malware authors to thwart analysis,’ the report says.
The second stage of the attack involves a signed application disguised as a legitimate Apple bundle identifier. It also launches a malicious PDF viewer that displays a PDF file containing information from the website of a legitimate venture capital firm.
The next stage of the attack chain is initiated only after the victim opens the malicious PDF document. The stage-three payload is a signed malware written in Rust and weighing in at a sizable 11.2MB. It can run on both ARM and x86 architectures.
“The malware used here shows that as macOS grows in market share, attackers realize that a number of victims will be immune if their tooling is not updated to include the Apple ecosystem. Lazarus group, which has strong ties to BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more APT groups start doing the same,” the researchers concluded.