how North Korean hackers are using Rust-based malware to circumvent sanctions and generate illegal proceeds

Researchers revealed An updated version of the RustBucket malware targeted at macOS users. This version features enhanced features for robust infiltration and bypass detection by antivirus solutions.

“This variant of RustBucket – part of a family of malware that attacks macOS systems – integrates persistence features never seen before,” Elastic Security Labs said in a recent report. They also emphasize that the updated RustBucket “applies a flexible network infrastructure strategy to manage and coordinate its actions”

RustBucket is a toolkit developed by the North Korean cyberthreat actor alias BlueNoroff. This is just one of the many cyber operations monitored by the elite hacker group Lazarus Group. Lazarus Group, in turn, is under the control of the Main Intelligence Directorate (RGB) of North Korea, which is the country’s key intelligence agency.

Malware was found in April 2023, when Jamf Threat Labs described it as an AppleScript-based backdoor capable of receiving a secondary payload from a remote server. Elastic tracks this activity as REF9135.

The Swift-compiled secondary malware is designed to download from the command and control center server of the primary malware, a Rust-based binary with rich information gathering features, and obtain and run additional Mach-O binaries or shells on the compromised system.

This is the first time the BlueNoroff malware has specifically targeted macOS users, although a .NET version of RustBucket has since emerged in the wild with a similar feature set.

“The recent activity of the Bluenoroff hacker group clearly demonstrates how they use cross-platform language in their attacks, the purpose of which is to develop malware. This approach is most likely aimed at empowering and increasing the number of potential victims,” ​​the RustBucket campaign analyst review states. conducted by the French cybersecurity company Sekoia at the end of May 2023.

The infection chain consists of a macOS installer file that installs a fake but functional PDF reader. A significant aspect of the attacks is that the malicious activity is only triggered when an infected PDF file is launched using a fake PDF reader. The initial penetration vector includes phishing emails as well as the use of fake social media accounts.

The observed attacks are highly targeted and primarily focus on financial institutions in Asia, Europe and the United States. This indicates that this type of activity is aimed at illegally obtaining income in circumvention of sanctions.

The standout feature of the new identified version is the unusual persistence mechanism and the use of a dynamic DNS domain (docsend.linkpc[.]net) for command and control, coupled with measures to minimize the visibility of their activities.

“In the case of an updated RustBucket sample, it sets its own persistence by adding a plist file at /Users//Library/LaunchAgents/com.apple.systemupdate.plist and it copies the malware binary at /Users/< user>/Library/Metadata/System Update,” the researchers say.