Cybersecurity researchers from Elastic Security Labs have uncovered a new version of RustBucket, a known malware that targets macOS-powered devices.
This new version is more persistent on the victim endpoints, and harder to detect by antivirus programs.
“This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed,” the researchers said in their writeup. Apparently, the malware is “leveraging a dynamic network infrastructure methodology for command-and-control.”
To infect their device, the victim first needs to download and run a macOS installer file that delivers a functional, but malicious, PDF reader. Then, they need to try and open a weaponized PDF using that compromised PDF reader.
Usually, the attackers would try and deliver this malware either via phishing emails or through social media channels, such as LinkedIn.
RustBucket comes with a unique persistence method, and uses dynamic DNS domains for command-and-control. It goes above and beyond to stay hidden, the researchers said.
“In the case of this updated RustBucket sample, it establishes its own persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware’s binary to the following path /Users/<user>/Library/Metadata/System Update,” it was said in the writeup.
The attackers don’t seem to be casting a particularly wide net with this malware, the researchers further established. Instead, they’re targeting financial institutions in Asia, Europe, and the U.S., leading the investigators to believe that the motive behind the attack is material.
Analysis: Why does it matter?
All evidence points towards the threat actors being BlueNoroff, a department within the Lazarus Group.
Lazarus is a known threat actor, part of the Reconnaissance General Bureau (RGB), the main intelligence agency of North Korea. In other words, Lazarus is a North Korean, state-sponsored threat actor.
The group is best known for pulling off some incredibly lucrative attacks against cryptocurrency businesses, which brought them hundreds of millions of dollars through theft and ransom.
In late June 2023, the U.S. Treasury said Lazarus stole around $600 million in cryptocurrency and fiat currency this year, from financial institutions and exchanges. In 2019, the estimate was around $571.
In June 2022, for example, Lazarus Group successfully breached Harmony Bridge, a blockchain protocol that allows different blockchains to communicate with one another, thus allowing different tokens to migrate from one blockchain to another. Roughly $100 million vanished from the protocol in that incident.
These bridges and similar Decentralized Finance (DeFi) projects are attractive targets as they manage large quantities of funds but are often poorly designed or poorly audited for security.
The researchers believe North Korea is using Lazarus to offset some of the damages that resulted from international sanctions. Other researchers even stated that the money brought in from Lazarus’ operations is being used to fund nuclear weapons development and manufacturing.
When it comes to RustBucket, malware targeting macOS is always interesting. Threat actors usually lean more towards Windows or Linux devices. Linux is extremely potent as it powers most Internet of Things (IoT) devices, the majority of the mobile market, and even some servers.
Windows, on the other hand, is an attractive target for both its popularity and countless ways with which it can be compromised. According to Statista, in Q1 2020 more than 83% of all malware targeted Windows devices, with macOS market share falling in the “other” category that takes up a mere 1.91%.
What have others said about RustBucket and Lazarus?
In his analysis on LinkedIn, cybersecurity researcher David Sehyeon Baek says the longstanding history of macOS attacks by Lazarus suggests more advanced persistent threat (APT) groups may follow suit and focus more on Apple’s ecosystem.
“The emergence of RustBucket highlights the evolving landscape of cyber threats and the need for heightened cybersecurity measures, particularly within the macOS environment,” he says. “Users should remain cautious when downloading and executing applications from unverified sources, ensuring Gatekeeper’s security settings are not bypassed without proper justification.”
While Lazarus may be leading the way in targeting macOS endpoints, not everyone agrees that the group is highly skilled or efficient. In fact, one user of the /hacking/ subreddit said Lazarus is “not really [skilled] for a state actor,” while another added “if you know about them, they are not top hackers.”
Others disagree, saying “North Korean hackers are highly skilled for a nation-state backed group. They are especially skilled at hacking crypto exchanges and stealing crypto as a way to bypass financial sanctions against them. They have stolen hundreds of millions of dollars worth of crypto.”
Skilled or not, Lazarus is often making headlines in the media. Among other things, they were found to be responsible for the attack on the Ronin bridge, ($625m in crypto stolen), the development of the DTrack backdoor, the compromising of various open-source software used by numerous enterprises and SMBs, the weaponization of Dell drivers, and the abuse of the log4j flaw to target energy companies in the US.
If you want to learn more about Lazarus, make sure to read how they targeted developers with fake Coinbase job vacancies, or or how Microsoft linked a smaller ransomware operation to the infamous North Korean threat actor.