New Malware From North Korea Hits macOS Users
The new macOS malware, RustBucket, is disguised as a legitimate PDF viewer app that actually works.
- A new macOS malware, dubbed RustBucket, has hit the cybersphere.
- Jamf attributed the RustBucket-based attacks to the North Korean threat group BlueNoroff which is associated with the notorious Lazarus APT group.
- Users can avoid falling victim to RustBucket by always keeping macOS’s Gatekeeper active.
Researchers at Jamf have discovered a new macOS malware being used to target Apple devices. The mobile device management company attributed the malware and its usage to the advanced persistent threat group BlueNoroff, a sub-group of Lazarus.
BlueNoroff is the same APT group that targeted Windows machines late last year through malware that evaded Mark-of-the-Web security implementations. The new macOS malware, RustBucket, is disguised as a legitimate PDF viewer (Internal PDF Viewer) app that actually works.
As the stage-one executable, Internal PDF Viewer is an unsigned app that, when executed, downloads the stage-two malware from the command and control (C2) server.
Also named Internal PDF Viewer, stage-two malware is a signed application disguised as a legitimate Apple bundle identifier (com.apple.pdfViewer) with an ad-hoc signature.
“By breaking up the malware into several components or stages, the malware author makes analysis more difficult, especially if the C2 goes offline,” Jamf explained. As such, both stage-one and stage-two components of RustBucket malware were undetected on VirusTotal at the time of Jamf’s disclosure.
As of today, stage one of RustBucket is detected by eight security vendors, while nine vendors detect stage two.
However, the PDF viewer app is only one piece of the puzzle. Successful exploitation of the target requires the correct PDF file, which, when opened, begins the execution of the attack.
“Upon execution, the application does not perform any malicious actions yet. For the malware to take the next step and communicate with the attacker, the correct PDF must be loaded,” Jamf added.
See More: New Report Blows the Lid on Another iPhone Spyware
Loading any other PDF file gives the following message:
RustBucket Malicious PDF File
Source: Jamf
The PDF file is a bogus nine-page document about venture capital firms looking to invest in tech startups. Once this malicious file is loaded, the program initiates stage three of the attack, which is the execution of an 11.2-megabyte trojan, also signed ad-hoc and written in Rust. This trojan performs system reconnaissance commands to collect basic system data such as the current time, process listing, and whether it runs in a virtual machine.
RustBucket Malware Attack Chain
Source: Jamf
“The malware used here shows that as macOS grows in market share, attackers realize that a number of victims will be immune if their tooling is not updated to include the Apple ecosystem. Lazarus group, which has strong ties to BlueNoroff, has a long history of attacking macOS, and it’s likely we’ll see more APT groups start doing the same,” Jamf concluded.
Thankfully, RustBucket necessitates the target to override Gatekeeper, the built-in feature in macOS that warns users against installing applications from untrustworthy sources.
How can users stave off malware such as RustBucket? Share your thoughts with us on LinkedIn, Twitter, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON MALWARE
