A newly discovered family of macOS malware, likely being deployed in attacks by a known North Korean APT, joins a growing number of malware families targeting Mac devices as more users rely on these products in the enterprise.
The malware, named “RustBucket,” is distributed in a three-stage attack that results in the execution of a trojan written in Rust, which performs a number of system reconnaissance commands - including collecting basic information about the system, current time and if it's running in a VM - and communicates with command-and-control (C2) servers for further instructions, according to researchers with Jamf Threat Labs in a Friday analysis.
“We are unsure of how many victims exist,” said Jaron Bradley, macOS detections expert with Jamf. “We believe that the attackers are very active but still very targeted in who they choose to go after.”
While carrying out hunting routines for AppleScript applications containing suspicious commands, researchers first came across a dropper associated with the first stage of the attack in an unsigned application called Internal PDF Viewer.app. It’s unknown how the application is first shared, though Bradley said that the potential actor behind the attack has a history of using social engineering on LinkedIn to engage with victims. Notably, because the application is unsigned it would likely be blocked by Gatekeeper, and a user would need to manually override Gatekeeper in order to run it.
The dropper executes various commands that then download a second-stage application, this time signed, also called Internal PDF Viewer.app.
“By breaking up the malware into several components or stages, the malware author makes analysis more difficult, especially if the C2 goes offline,” said researchers. “This is a clever but common technique used by malware authors to thwart analysis.”
“Lazarus group, which has strong ties to BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more APT groups start doing the same.”
When this application is launched, it presents the target with a nine-page document describing a venture capital firm that wants to invest in different tech startups. Here, the attackers appear to have copied the website of a small, legitimate venture capital firm, said researchers. Meanwhile, in the background the malware makes a POST request to the C2 server, which researchers believe retrieves and executes the third-stage payload. The final payload keeps a continuous connection with the attacker, and Bradley said that researchers are still looking into its functionalities beyond reconnaissance.
In the attack, “[the] PDF viewer technique used by the attacker is a clever one,” said researchers. “At this point, in order to perform analysis, not only do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to execute the malicious code within the application."
Researchers found links in this campaign with previous campaigns attributed to a known group called BlueNoroff, which has ties to the Lazarus APT. The stage-one dropper uses a domain previously used in activity that has overlaps with BlueNoroff, for instance, and the social engineering lures utilized for the PDF document are similar to previous BlueNoroff fake domains that have impersonated VC firms and banks.
Researchers said that as market share of macOS devices used by businesses grows, more prominent threat actors are finetuning their malware to target this platform. Last week, for instance, a new LockBit ransomware variant targeting macOS was discovered.
"The malware used here shows that as macOS grows in market share, attackers realize that a number of victims will be immune if their tooling is not updated to include the Apple ecosystem,” said researchers. “Lazarus group, which has strong ties to BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more APT groups start doing the same.”