A new strain of macOS Malware, RustBucket, has been discovered and attributed to a financially-motivated North Korean threat actor BlueNoroff, a subgroup within the infamous Lazarus cluster. The Lazarus cluster is also known under several other monikers, such as Nickel Gladstone, APT28, Stardust Chollima, Sapphire Sleet, and TA444.

According to researchers, RustBucket communicates with the C2 (command and control) servers to download and execute various payloads. Experts have warned that RustBucket could be used for malicious activities, including stealing sensitive data or deploying ransomware.

BlueNoroff stands out from other entities within the Lazarus Group due to its focus on cyber-enabled heists targeting the SWIFT system and cryptocurrency exchanges. The group’s activities are part of an intrusion set known as CryptoCore.

Earlier this year, the U.S. Federal Bureau of Investigation (FBI) implicated the threat actor for stealing $100 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022.

RustBucket Deployed Using Job-Themed Lures

Security researchers have revealed that BlueNoroff has recently shifted its tactics to use job-themed lures to trick email recipients into giving away their credentials. This marks a significant change in the group’s attack repertoire.

As part of this new approach, BlueNoroff has developed the Macos Malware Rustbucket, disguised as an “Internal PDF Viewer” application. However, this malware relies on the victim manually overriding Gatekeeper protections to activate the infection.

Once installed, the malware is designed to retrieve a second-stage payload from a remote server, which is also named “Internal PDF Viewer”, and signed with an ad-hoc signature.

The second-stage payload is a basic application that can view PDF files. However, it only initiates the next phase of the attack chain when the booby-trapped PDF file is opened through the app. This allows the attackers to bypass traditional security measures and execute malicious code.

Researchers have revealed that a nine-page PDF document promising an “investment strategy” is also being used as a lure to distribute the malware. When launched, the document reaches out to a command-and-control server to download and execute a third-stage trojan, a Mach-O executable written in Rust. This trojan can run system reconnaissance commands.

The findings come amid a spate of attacks by the Lazarus Group, targeting organizations across various countries and industry verticals for strategic intelligence collection and cryptocurrency theft. The recent surge in activity has shown a growing interest in exploiting trust relationships in the software supply chain to gain access to corporate networks. The group was also implicated in a supply chain attack that utilized trojanized versions of the legitimate X_TRADER app to breach enterprise communications software maker 3CX, infecting its Windows and macOS apps.