A financially-motivated North Korean threat actor is suspected to be behind a new Apple macOS malware strain called RustBucket.
“[RustBucket] communicates with command and control (C2) servers to download and execute various payloads,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week.
The Apple device management company attributed it to a threat actor known as BlueNoroff, a subgroup within the infamous Lazarus cluster that’s also tracked under the monikers APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.
The connections stem from tactical and infrastructure overlaps with a prior campaign exposed by Russian cybersecurity company Kaspersky in late December 2022 likely aimed at Japanese financial entities using fake domains impersonating venture capital firms.
BlueNoroff, unlike other constituent entities of the Lazarus Group, is known for its sophisticated cyber-enabled heists targeting the SWIFT system as well as cryptocurrency exchanges as part of an intrusion set tracked as CryptoCore.
Earlier this year, the U.S. Federal Bureau of Investigation (FBI) implicated the threat actor for the theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022.
BlueNoroff’s attack repertoire is also said to have witnessed a major shift over the past few months, what with the group making use of job-themed lures to trick email recipients into entering their credentials on fake landing pages.
The macOS malware identified by Jamf masquerades as an “Internal PDF Viewer” application to activate the infection, although it bears noting that the success of the attack banks on the victim manually overriding Gatekeeper protections.
In reality, it’s an AppleScript file that’s engineered to retrieve a second-stage payload from a remote server, which also carries the same name as its predecessor. Both malicious apps are signed with an ad-hoc signature.
The second-stage payload, written in Objective-C, is a basic application that offers the ability to view PDF files and only initiates the next phase of the attack chain when a booby-trapped PDF file is opened through the app.
One such nine-page PDF document identified by Jamf purports to offer an “investment strategy,” that when launched, reaches out to the command-and-control (C2) server to download and execute a third-stage trojan, a Mach-O executable written in Rust that comes with capabilities to run system reconnaissance commands.
“This PDF viewer technique used by the attacker is a clever one,” the researchers explained. “At this point, in order to perform analysis, not only do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to execute the malicious code within the application.”
It’s not currently not clear how initial access is obtained and if the attacks were successful, but the development is a sign that threat actors are adapting their toolsets to accommodate cross-platform malware by using programming languages like Go and Rust.
The findings also come off a busy period of attacks orchestrated by the Lazarus Group aimed at organizations across countries and industry verticals for collecting strategic intelligence and performing cryptocurrency theft.
Lazarus Group (aka Hidden Cobra and Diamond Sleet) is less a distinct outfit and more of an umbrella term for a mixture of state-sponsored and criminal hacking groups that sit within the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence apparatus.
Recent activity undertaken by the threat actor has offered fresh evidence of the threat actor’s growing interest in exploiting trust relationships in the software supply chain as entry points to corporate networks.
Last week, the adversarial collective was linked to a cascading supply chain attack that weaponized trojanized installers versions of a legitimate app known as X_TRADER to breach enterprise communications software maker 3CX and poison its Windows and macOS apps.
Around the same time, ESET detailed Lazarus Group’s use of a Linux malware dubbed SimplexTea against the backdrop of a recurring social engineering campaign referred to as Operation Dream Job.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
“It is also interesting to note that Lazarus can produce and use native malware for all major desktop operating systems: Windows, macOS, and Linux,” ESET malware researcher Marc-Etienne M.Léveillé pointed out last week.
Lazarus is far from the only RGB-affiliated state-sponsored hacking group known to conduct operations on behalf of the sanctions-hit country. Another equally prolific threat actor is Kimsuky (aka APT43 or Emerald Sleet), a sub-group of which is monitored by Google’s Threat Analysis Group (TAG) as ARCHIPELAGO.
“The actor primarily targets organizations in the U.S. and South Korea, including individuals working within the government, military, manufacturing, academic, and think tank organizations that possess subject matter expertise in defense and security, particularly nuclear security and nonproliferation policy,” Google-owned Mandiant noted last year.
Other less known targets of Kimsuky include Indian and Japanese as government and educational institutions, a set of attacks tracked by Taiwnese cybersecurity company TeamT5 under the name KimDragon.
The group has a history of deploying a raft of cyber weapons to exfiltrate sensitive information through a wide range of tactics such as spear-phishing, fraudulent browser extensions, and remote access trojans.
Latest findings released by VirusTotal highlight Kimsuky’s heavy reliance on malicious Microsoft Word documents to deliver its payloads. A majority of the files have been submitted to the malware-scanning platform from South Korea, the U.S., Italy, and Israel, and the U.K.
“The group uses a variety of techniques and tools to conduct espionage, sabotage, and theft operations, including spear phishing and credential harvesting,” the Google Chronicle subsidiary said.