North Korea-linked BlueNoroff APT group has been observed by security firm Jamf using a new macOS malware called RustBucket in recent attacks.
The RustBucket malware allows operators to download and execute various payloads.
The first-stage was contained within an unsigned application named Internal PDF Viewer.app, which can only be executed by manually overriding the Gatekeeper security measure.
The stage-two of the malware communicates with the C2 server to fetch the stage-three payload, which is an ad-hoc signed trojan written in the Rust language. The trojan can run on both ARM and x86 architectures.
The third-stage payload allows the attacker to carry out a broad range of malicious activities on the system.
The attribution to the BlueNoroff APT group is based on the domain cloud[.]dnx[.]capital used in the stage-one dropper and the use of fake domains impersonating venture capital firms and banks. The experts believe that more APT groups may start attacking macOS.
Indicators of Compromise