RustBucket Malware: Uncovering the Link Between macOS Attacks and the North Korean BlueNoroff Group

The threat of cyberattacks continues to loom over individuals and corporations, with new threats emerging regularly. The latest threat comes in the form of macOS malware called RustBucket. Suspected to be backed by a financially motivated North Korean threat actor, RustBucket has been causing concerns among cybersecurity experts. In this article, we will explore the BlueNoroff threat actor behind RustBucket, the technical details of RustBucket, and the possible impact it can have on victims.

BlueNoroff: The Threat Actor Behind RustBucket macOS Malware

BlueNoroff is a subgroup within the infamous Lazarus cluster, which is also known as APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444. The Lazarus Group is less a distinct outfit and more of an umbrella term for a mixture of state-sponsored and criminal hacking groups that sit within the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence apparatus.

Hacking groups that operate under the Lazarus Group are known for their sophisticated attacks on targets across the globe, including attacks against Sony Pictures, the Bangladesh Bank heist, and the WannaCry ransomware attack. BlueNoroff, in particular, is known for its cyber-enabled heists targeting the SWIFT system, as well as cryptocurrency exchanges as part of an intrusion set tracked as CryptoCore.

BlueNoroff’s Cyber-Enabled Heists Target SWIFT and Cryptocurrency Exchanges

BlueNoroff has been responsible for several high-profile cyber thefts, including the $81 million heist on the Bangladesh Bank in 2016. This attack involved the use of fraudulent SWIFT messages to transfer funds from the bank’s account at the Federal Reserve Bank of New York to accounts in the Philippines and Sri Lanka.

Similarly, CryptoCore, an intrusion set linked to BlueNoroff, has been involved in a series of sophisticated attacks on cryptocurrency exchanges. According to reports, the group has stolen over $200 million from at least 14 different exchanges, using a variety of techniques to gain access to the systems.

RustBucket: A new Apple macOS Malware

Recently, the cybersecurity firm Jamf reported a new threat believed to be associated with BlueNoroff. Called RustBucket, this new threat is a macOS malware that uses sophisticated techniques to evade detection and infect systems.

Please give me a description of RustBucket

RustBucket masquerades as an “Internal PDF Viewer” application to activate the infection. However, the success of the attack depends on the victim manually overriding Gatekeeper protections. Once the initial infection is successful, RustBucket installs a second-stage payload, written in Objective-C. This is a basic application that offers the ability to view PDF files and only initiates the next phase of the attack chain when a booby-trapped PDF file is opened through the app.

RustBucket’s Malicious Techniques and Features

The PDF viewer technique used by the attacker is clever. It involves using a disguised app to trick the victim into opening a malicious PDF file, which then initiates the second stage of the attack. This technique attempts to evade detection by security software and bypass security protocols.

It is not currently clear how the threat actor gains initial access to systems, and there is no information on the success rate of the attacks. However, the development and deployment of RustBucket shows that threat actors are adapting their toolsets to accommodate cross-platform malware by using programming languages like Go and Rust. This could potentially increase the threat posed by future attacks.

Increase in the interest of threat actors to exploit trust relationships in software supply chains as entry points to corporate networks

Recent activity by the threat actor has offered fresh evidence of the group’s growing interest in exploiting trust relationships in the software supply chain as entry points to corporate networks. This technique involves compromising third-party suppliers and vendors who provide software and services to targeted organizations. By compromising these vendors, threat actors can gain access to a vast network of potential targets with minimal effort.

Unknown Initial Access to Networks and Potential Success Rates of Attacks

Despite the lack of information on how threat actors gain initial access to systems, cybersecurity experts continue to warn of the potential impact of such attacks. RustBucket’s sophisticated techniques, combined with the threat actor’s track record of successful cyber heists, mean that any attack is a cause for concern.

Other targets of Kimsuky, a set of attacks tracked by Taiwanese cybersecurity company TeamT5 under the name KimDragon

The Lazarus Group is not the only group with an interest in cyber theft conducted by North Korea. Another attack group associated with North Korea is called Kimsuky, which has targeted government and educational institutions in India and Japan. These attacks were tracked by the Taiwanese cybersecurity company TeamT5 under the name KimDragon.

The emergence of RustBucket highlights the continued threat posed by cybercriminals and threat actors to individuals and corporations. Adapting their toolsets to accommodate cross-platform malware and exploiting trust relationships in the software supply chain are some of the ways they continue to find new ways to attack systems. As a result, it is essential for organizations to remain vigilant and up-to-date with security protocols to mitigate the risks of attacks.

Explore more