According to a recent analysis from Elastic Security Labs, “This variant of RustBucket – part of a malware family that attacks macOS systems – integrates persistence features never seen before.” Additionally, they stress how the revised RustBucket “applies a flexible network infrastructure strategy to manage and coordinate its actions”.
The North Korean cyberthreat actor going by the moniker BlueNoroff created the toolbox known as RustBucket. This is but one of the several cyber activities being watched by the prestigious hacking collective Lazarus Group. The Main Intelligence Directorate (RGB), North Korea’s top intelligence organization, in turn has influence over Lazarus Group.
In April 2023, Jamf Threat Labs identified the malware as an AppleScript-based backdoor that might accept a secondary payload from a remote server. This behavior is recorded by Elastic as REF9135. “The Bluenoroff hacker group’s recent activities amply displays how they employ cross-platform language in their attacks, which are intended to create dangerous software.
According to the analytical analysis, this strategy “is most likely intended to empower and increase the number of potential victims.” Сompanies Sekoia, a French cybersecurity startup, will hold a RustBucket at the end of May 2023.
A macOS installation file that installs a phony but working PDF reader is the first link in the infection chain. The fact that the harmful activity is only started when a PDF file that has been infected is opened using a phony PDF reader is an important feature of the assaults. Phishing emails and the establishment of phony social media profiles are two examples of the initial entry vector.