Creepy evolution: Rustbucket malware updates

In a recent revelation, researchers have unveiled an enhanced version of an Apple macOS malware named Rustbucket. This upgraded variant exhibits superior capabilities that strengthen its persistence on infected systems and allow it to evade detection by security tools. The Rustbucket malware family, specifically designed to target macOS systems, now demonstrates newly observed persistence competencies. According to Elastic Security Labs, the malware uses a sophisticated network infrastructure for its command-and-control process, offering an unprecedented level of complexity.

The brainchild of North Korean hackers

Rustbucket traces back to BlueNoroff, a North Korean threat actor linked to the larger intrusion framework known as the Lazarus Group. This elite cyber hacking group operates under the supervision of the Reconnaissance General Bureau (RGB), North Korea's principal intelligence agency. The initial exposure of the malware occurred in April 2023 when Jamf Threat Labs identified it as an AppleScript-based backdoor. This backdoor is capable of obtaining a second-stage payload from a remote server. The Swift-compiled second-stage malware is structured to download the main Rust-based binary malware from the command-and-control server, boasting an ability to extract substantial information and execute additional Mach-O binaries or shell scripts on the breached system.

The cross-platform malware and its expanding targets

Although Rustbucket initially targeted macOS users, a similar .NET version has since been detected in the wild. This trend demonstrates how threat actors like BlueNoroff are diversifying their efforts using cross-platform languages to increase their malware development capabilities. As French cybersecurity firm Sekoia highlighted, this indicates a probable expansion of the victim demographic. The malware propagates via a macOS installer file that inserts a compromised, albeit functional, PDF reader. The malicious process is triggered only when a weaponized PDF file is accessed through the manipulated reader. The main methods of initial breach include phishing emails and fabricated identities on social networks like LinkedIn. Notably, these attacks are particularly targeted towards financial institutions across Asia, Europe, and the U.S., suggesting an intent to generate illicit revenue and sidestep sanctions.

Persistence and stealth: the new Rustbucket's noteworthy traits

The standout feature of this updated Rustbucket version is its unique persistence method, alongside the use of dynamic DNS domain (docsend.linkpc[.]net) for command-and-control, complemented by measures to stay undetected. The advanced sample of Rustbucket secures its persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/com.apple.systemupdate.plist, simultaneously copying the malware's binary to /Users/<user>/Library/Metadata/System Update. This new level of sophistication highlights the increasingly challenging landscape of cybersecurity and the need for constant vigilance and updates in protective measures.