Cybersecurity firm Jamf has revealed that North Korea-linked BlueNoroff hackers have been using a new macOS malware family, dubbed RustBucket, in recent attacks.
RustBucket is a macOS malware family that is capable of fetching additional payloads from its command-and-control server. It has been attributed to the advanced persistent threat actor BlueNoroff, which is believed to be a subgroup of the infamous Lazarus hacking group.
The attackers are relying on social engineering to trick victims into initializing the infection chain. They are using stage-one malware contained within the unsigned application ‘Internal PDF Viewer.app’ and designed to fetch and execute the stage-two payload on the system. The second-stage payload is a signed application which masquerades as a legitimate Apple bundle identifier. It also displays a decoy PDF to the victim – containing information taken from the website of a legitimate venture capital firm.
The malware begins communication with the C&C server to fetch the stage-three payload, which is a signed trojan written in the Rust language that can run on both ARM and x86 architectures. The malware can gather system information, including a list of running processes, current time, and whether it is running in a virtual machine, and allows the attacker to perform various actions on the infected machines.
We recommend that you take the following as minimum steps to protect yourself from this new malware attack:
– Keep your System updated and patched.
– Have SentinelOne antivirus installed.
– Only download and install apps from trusted sources.
– Have multi backups: local, cold storage and in the cloud.
We understand that technical jargon can be overwhelming, but we believe it’s important to provide you with all the information you need to stay safe and secure. If you have any concerns or questions about this new malware attack, please contact us. We’re here to help you stay protected.