A new variant of the Rustbucket macOS malware associated with a subsidiary of North Korea’s Lazarus Group has emerged and researchers discovered that it has new persistence mechanisms and is currently not detected by any of the major antimalware systems.
Rustbucket first came to light in April when researchers at Jamf discovered a group referred to as BlueNorOff using the malware in a series of attacks. BlueNorOff is a known North Korean APT group that researchers say is a subset of the much larger and noisier Lazarus Group, which has been tied to a long list of high-profile intrusions. Many of those attacks have targeted cryptocurrency companies, exchanges, and other financial institutions. In a recent intrusion, researchers at Elastic Security Labs observed a group it calls REF9135 using the new version of Rustbucket to attack a cryptocurrency company in Europe.
Like the older version of the malware, the new iteration uses a three-stage model to eventually execute its final payload and gain persistence on targeted machines. In past intrusions, Rustbucket has used LaunchAgents to maintain persistence, which is a common tactic for macOS malware. The newer version takes a different tack.
“In the case of this updated RUSTBUCKET sample, it establishes its own persistence by adding a plist file at the path /Users/
The persistence mechanism connects to a domain that is known to be malicious and used in other attack campaigns, including phishing campaigns. The Elastic Security Labs researchers dug into the domains and other infrastructure used in this attack and were able to connect it to BlueNorOff and some other campaigns. In the intrusion at the cryptocurrency organization, REF9135 used a variety of evasion techniques to evade defensive technologies and analysis.
“There is a specific User-Agent string (cur1-agent) that is expected when downloading the Stage 2 binary, if you do not use the expected User-Agent, you will be provided with a 405 HTTP response status code. It also appears that the campaign owners are monitoring their payload staging infrastructure. Using the expected User-Agent for the Stage 3 binary download (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)), we were able to collect the Stage 3 binary,” the researchers said.
“Finally, we observed REF9135 changing its C2 domain once we began to collect the Stage 2 and 3 binaries for analysis. When making subsequent requests to the original server (crypto.hondchain[.]com), we received a 404 HTTP response status code (Not Found) and shortly after, a new C2 server was identified (starbucls[.]xyz).”
North Korean APT groups consistently target cryptocurrency organizations and other financial institutions, and are known to develop their own malware, techniques, and tools. The discovery of a new version of Rustbucket that has evaded detection thus far shows that these teams are not slowing down their work in any way.