HQ/EMEAFind out how we can help your business
The notorious North Korean state-sponsored threat group, Lazarus, has been using the new RustBucket malware to target macOS devices. Based on reports, the malware could recover additional payloads from the threat actor’s C2 server.
Moreover, the Lazarus group utilised stage-one malware within an unsigned app to recover and run a stage-two payload on a targeted system. Researchers confirmed that the app which contained the stage-one malware is called the “Internal PDF Viewer[.]app.”
The infected application does not appear to be operated unless the user manually overwrites Gatekeeper. This detail implies that the threat actors rely on social engineering tactics to deceive victims into initiating the infection protocol.
Furthermore, the second-stage payload is a signed app which portrays itself as an authentic Apple bundle identifier. The payload also displays a decoy PDF to the victim that contains data from the website of a legitimate venture capital company.
The RustBucket malware starts its transaction with the actors’ command-and-control server to retrieve a third payload and start the last phase of the attack.
According to investigations, the RustBucket malware starts communicating with the C2 server to get the stage-three payload. The third payload is a signed trojan coded in Rust language that could operate on x86 and ARM infrastructure.
Subsequently, the malware could harvest system information, such as current time, list of operating processes, and whether the target is running in a virtual machine. Once the malware collects the info, the attacker can run various actions on the infected devices.
The utilisation of fake domains that impersonates venture capital companies and social engineering tactics is like the previous attack of a Lazarus-linked cybercriminal campaign since both attacks use a field with a stage-one dropper. Hence, a researcher claims the North Korean state-sponsored threat group is behind the RustBucket campaign on macOS devices.
This new malware campaign shows that the actors are heavily targeting macOS users. Therefore, cybersecurity experts warn Apple device owners to be vigilant with this campaign. Users should know how to spot legitimate emails or domains and be wary of social engineering attempts from threat actors.
