A financially motivated North Korean threat actor is suspected of being behind a new strain of Apple macOS malware called RustBucket.
“[RustBucket] communicates with command and control (C2) servers to download and execute various payloads,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week.
Apple’s device management company attributed it to a threat actor known as BlueNoroff, a subgroup within the notorious Lazarus cluster that also goes by the monikers APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.
The connections come from tactical and infrastructure overlaps with an earlier campaign exposed by Russian cybersecurity firm Kaspersky in late December 2022, likely targeting Japanese financial institutions using fake domains impersonating venture capital firms.
BlueNoroff, unlike other constituent entities of the Lazarus Group, is known for its sophisticated cyber attacks targeting the SWIFT system as well as cryptocurrency exchanges as part of an intrusion suite tracked as CryptoCore.
Earlier this year, the US Federal Bureau of Investigation (FBI) implicated the threat actor in the theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022.
BlueNoroff’s attack repertoire is also said to have witnessed a major shift in recent months, with the group making use of work-themed decoys to trick email recipients into entering their credentials on pages of false destination
The macOS malware identified by Jamf disguises itself as an “Internal PDF Viewer” application to trigger the infection, although it should be noted that the successful attack targets the victim manually overriding Gatekeeper protections .
It’s actually an AppleScript file designed to retrieve a second-stage payload from a remote server, which also has the same name as its predecessor. Both malicious applications are signed with an ad-hoc signature.
The second-stage payload, written in Objective-C, is a basic application that provides the ability to view PDF files and only initiates the next phase of the attack chain when a PDF file is opened with explosive traps via of the application.
One such nine-page PDF document identified by Jamf purports to offer an “inversion strategy,” which when launched, reaches the Command and Control (C2) server to download and execute a third-stage Trojan, a Mach- O. executable written in Rust that includes capabilities to run system recognition commands.
“This PDF viewing technique used by the attacker is clever,” the researchers explained. “At this point, in order to perform the analysis, we not only need the second-stage malware, but we also need the correct PDF file that acts as a key to execute the malicious code within the application.”
It is currently unclear how the initial access was gained and whether the attacks were successful, but the development is a sign that threat actors are adapting their toolsets to accommodate cross-platform malware using languages programming languages such as Go and Rust.
The findings also come out of an intense period of attacks orchestrated by the Lazarus Group targeting organizations in countries and industry verticals to gather strategic intelligence and carry out cryptocurrency theft.
Lazarus Group (also known as Hidden Cobra and Diamond Sleet) is less a distinct outfit and more an umbrella term for a mix of state-sponsored criminal hacking groups located within the Reconnaissance General Bureau (RGB ), North Korea’s main foreign intelligence apparatus.
Recent threat actor activity has offered new evidence of the threat actor’s growing interest in exploiting trust relationships in the software supply chain as entry points to corporate networks.
Last week, the adversary collective was linked to a cascading supply chain attack that weaponized trojanized installer versions of a legitimate application known as X_TRADER to breach enterprise communications software maker 3CX and poison your Windows and macOS applications.
Around the same time, ESET detailed the Lazarus Group’s use of a Linux malware called SimplexTea in the context of a recurring social engineering campaign called Operation Dream Job.
Zero Trust + Deception – Learn to Outsmart Attackers!
Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!
Save my seat!
“It is also interesting to note that Lazarus can produce and use native malware for all major desktop operating systems: Windows, macOS and Linux,” ESET malware researcher Marc-Etienne M noted last week .Léveillé.
Lazarus is far from the only state-sponsored RGB-affiliated hacking group known to conduct operations on behalf of the sanctions-hit country. Another equally prolific threat actor is Kimsuky (aka APT43 or Emerald Sleet), a subgroup of which is monitored by Google’s Threat Analysis Group (TAG) as ARCHIPELAGO.
“The actor primarily targets organizations in the United States and South Korea, including individuals working within government, military, manufacturing, academic, and think tank organizations who have subject matter expertise in defense and security, particularly security nuclear and non-proliferation policy,” Mandiant-owned Google noted last year.
Other lesser-known targets of Kimsuky include the Indian and Japanese government and educational institutions, a set of attacks tracked by Taiwanese cybersecurity firm TeamT5 under the name KimDragon.
The group has a history of deploying a number of cyberweapons to exfiltrate sensitive information using a wide range of tactics such as phishing, fraudulent browser extensions and remote access Trojans.
The latest findings released by VirusTotal highlight Kimsuky’s heavy reliance on malicious Microsoft Word documents to deliver its payloads. The majority of files were submitted to the malware scanning platform from South Korea, the US, Italy and Israel, and the UK
“The group uses a variety of techniques and tools to carry out espionage, sabotage and theft operations, including phishing and credential harvesting,” the Google Chronicle affiliate said.
Source link
The tech world is abuzz with news that the Lazarus subgroup is targeting Apple devices with a new RustBucket macOS malware. This subgroup, which is associated with North Korea, is a huge cyber-threat to Apple users.
RustBucket is an open-source backdoor which is designed to allow malicious actors to remotely control and monitor Apple macOS systems. The creators of RustBucket have made it ‘modular’ so that new malicious payloads can be added to the malware in the future.
This new malware is particularly concerning because it is able to bypass defenses, allowing the attackers to remain hidden, avoiding detection until it is too late. This could potentially lead to malware dreams such as ransomware, data theft, and ‘denial of service’ attacks.
At Ikaroa, we understand the importance of having robust systems in place to stay ahead of these threats. We are committed to providing comprehensive security solutions to our customers, helping them protect their devices and data from malicious attacks.
As part of our commitment to security, we provide ongoing security communications and updates to ensure our users stay up-to-date with the latest cyber-threats. We also advise our customers to keep their systems and software up to date, and to only download from secure and trusted sources.
Users should never open email attachments from suspicious sources and are advised to be aware of phishing scams. They should also be mindful of where and how they can access their devices and only use a secure Wi-Fi connection.
At Ikaroa, we understand the importance of monitoring the latest cyber-threats. We are continuously researching and evaluating methods to improve our products and services to help keep our customers secure. We are committed to providing our customers with the tools and knowledge they need to stay secure online.
