RustBucket Mac Malware Attributed to BlueNoroff Threat Actor
Jamf, a mobile device management company, has identified a new malware called RustBucket that is being used to target Apple devices.
The malware is believed to be associated with the BlueNoroff advanced persistent threat group, a sub-group of Lazarus, a notorious threat group. The malware is disguised as a legitimate PDF viewer app named Internal PDF Viewer, and it consists of two stages.
The first stage is an unsigned app that downloads the second stage from the command and control server. The second stage is a signed application that is disguised as a legitimate Apple bundle identifier.
The two-stage design of RustBucket malware makes it difficult to analyze, especially if the command and control server goes offline. Currently, only a few security vendors detect both stages of RustBucket. However, the execution of the attack requires the correct PDF file to be opened, which initiates the communication between the attacker and the malware. To avoid falling victim to RustBucket, macOS users should keep Gatekeeper active at all times.
How is Malware Like RustBucket Distributed?
The exact distribution method for RustBucket malware is not clear at this time. However, it is believed that the malware is likely spread through phishing emails or by exploiting vulnerabilities in the targeted system. The malware is disguised as a legitimate PDF viewer app, which can deceive users into thinking it is safe to download and execute.
Once installed, RustBucket has the ability to download additional malware components from a command and control server, which allows the attacker to take control of the infected system. It is important for users to exercise caution when opening attachments or downloading software, and to keep their operating system and security software up to date to reduce the risk of infection.