Insights, news, education and announcements from PolySwarm

BlueNoroff's RustBucket MacOS Malware

Written by The Hivemind | May 12, 2023 7:48:04 PM

Verticals Targeted: Financial

Executive Summary

North Korea nexus threat actor group BlueNoroff was recently observed using malware to target MacOS systems. Dubbed RustBucket, the malware can be used to communicate with the C2 to download and execute additional payloads.

Key Takeaways

  • North Korea nexus threat actor group BlueNoroff was recently observed using malware to target MacOS systems. 
  • Dubbed RustBucket, the malware can be used to communicate with the C2 to download and execute additional payloads. 
  • RustBucket is a multistage malware.

What is RustBucket?

Jamf Threat Labs recently reported on RustBucket, a multistage malware targeting MacOS devices. RustBucket is being used by the threat actor group BlueNoroff. RustBucket is a multi-stage tool that can be used to communicate with the C2 to download and execute additional payloads.

Stage One

The Stage One malware is an AppleScript file contained in an unsigned application known as Internal PDF Viewer.app. In order for the infection to be successful, the user must manually override MacOS’s Gatekeeper protections. Following a successful infection, the stage one malware fetches and executes the second stage payload, which is a signed application masquerading as a legitimate Apple bundle identifier.

Stage Two

The Second Stage payload is written in Objective-C. It allows the victim to view PDF files and initiates the next phase of the attack chain when the victim opens a malicious PDF. In essence, the malicious PDF acts as a key to execute the next attack phase. This makes analysis of the malware slightly more difficult, as a PDF is needed. Jamf noted one of the lure documents was investment themed. The second stage payload communicates with the C2 to download the stage three payload.

Stage Three

The Stage Three payload, written in Rust, is a Mach-O executable and can target both ARM and x86 architectures. RustBucket can gather system information and lets the threat actor perform various actions on the victim machine.

Who is BlueNoroff?

BlueNoroff, also known as Stardust Chollima, APT38, Nickel Gladstone, Sapphire Sleet, and TA444, is a North Korean threat actor group that is an offshoot of Lazarus Group. BlueNoroff is known for financially motivated activity, including targeting banks, casinos, cryptocurrency exchanges, ATMs, and SWIFT endpoints. In recent months, BlueNoroff has used job-themed lures for phishing.

IOCs

PolySwarm has multiple samples of RustBucket.

7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407

Bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49

3d41cd5199dbd6cefcc78d53bb44a2ecbea716de2bc8e547ead7c2aebd9925f0

8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe

 

You can use the following CLI command to search for all RustBucket samples in our portal:

$ polyswarm link list -f RustBucket

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports