Experts Detected a New Variant of North Korea-Linked RUSTBUCKET macOS Malware

Cyber Security Threat Summary:
“Researchers from Elastic Security Labs have discovered a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using this new malware. BlueNoroff operates under the control of the notorious Lazarus APT group, also linked to North Korea. The RustBucket malware enables the operators to download and execute different payloads. The attribution to BlueNoroff APT is based on similarities found in Kaspersky's analysis. The malware's initial stage is hidden in an unsigned application named Internal PDF, which can bypass the Gatekeeper security measure. The second stage, masquerading as a legitimate Apple bundle identifier, communicates with a command-and-control server to fetch a third-stage payload, a trojan written in the Rust language. This trojan can run on both ARM and x86 architectures and allows the attacker to carry out various malicious activities on the infected system” (SecurityAffairs, 2023).

Security Officer Comments:
Leveraging PDF-related content to deliver malware is not a new tactic by any means. Displaying capabilities to modify malware and code to target specific operating systems, such as Apple's macOS, does require some level of sophistication and technical ability, which can be indicative of nation-state activity. In these particular campaigns, Elastic has attributed the activity to the BlueNoroff APT group, linked to North Korea's Lazarus APT group. They have targeted organizations in the cryptocurrency realm. The malware demonstrates improved capabilities and persistence methods compared to its previous version and has deployed and in various geographic locations.

Suggested Correction(s):
The verification of legitimate computer programs is crucial for security and malware prevention. It establishes trust in the source and integrity of software, ensuring users can confidently install programs without fear of tampering or malicious code. Verification processes such as digital signatures and code signing help detect malware and protect against supply chain attacks. By verifying the authenticity of software, organizations can ensure system stability, prevent conflicts, and comply with licensing agreements and industry regulations. Overall, verifying legitimate programs is a vital step in safeguarding against malware and maintaining a secure computing environment.