A Journey into Reversing RustBucket on macOS
Contents
In the Realm of Rust
A Journey into Reversing RustBucket on macOS
Jaron Bradley
Director
Jamf Threat Labs
Ferdous Saljooki
Senior Threat Researcher
Jamf Threat Labs
Agenda
Intro into BlueNoroff and Lazarus
RustBucket Malware Discovery and Analysis
Tool Release - SpriteTree
Reversing Rust Executables and Difficulties
Repurposing RustBucket
The different topics covered today
Now Playing…
The Lazarus
Heist
Whois Lazarus Group/BlueNoroff
• To get the best recap on what this threat actor group has been up to the past few years I’d highly recommend listening to the BBC Podcast titled “The Lazarus Heist”.
• Lazarus group is the North Korean State Sponsored hacking group. When it comes to the macOS platform specifically, we suspect they are one of the most active
threats that are out there.
y
Son
to
Sna
imic
ly-ch
ob
oM
pt
Cry
Supp
ryp
C
tch
Ope
tion
ra
amj
Dre
ain
JumpC
loud
3CX
ry
C
Wanna
word
usPass
ro
Dange
• An overview on some of the popular campaigns from Lazarus Group
• The 2014 Sony Pictures compromise has been attributed to Lazarus where various internal documents containing sensitive information and data of Sony employees
and senior executives were leaked.
• Later in 2017 the …
A Journey into Reversing RustBucket on macOS
Jaron Bradley
Director
Jamf Threat Labs
Ferdous Saljooki
Senior Threat Researcher
Jamf Threat Labs
Agenda
Intro into BlueNoroff and Lazarus
RustBucket Malware Discovery and Analysis
Tool Release - SpriteTree
Reversing Rust Executables and Difficulties
Repurposing RustBucket
The different topics covered today
Now Playing…
The Lazarus
Heist
Whois Lazarus Group/BlueNoroff
• To get the best recap on what this threat actor group has been up to the past few years I’d highly recommend listening to the BBC Podcast titled “The Lazarus Heist”.
• Lazarus group is the North Korean State Sponsored hacking group. When it comes to the macOS platform specifically, we suspect they are one of the most active
threats that are out there.
y
Son
to
Sna
imic
ly-ch
ob
oM
pt
Cry
Supp
ryp
C
tch
Ope
tion
ra
amj
Dre
ain
JumpC
loud
3CX
ry
C
Wanna
word
usPass
ro
Dange
• An overview on some of the popular campaigns from Lazarus Group
• The 2014 Sony Pictures compromise has been attributed to Lazarus where various internal documents containing sensitive information and data of Sony employees
and senior executives were leaked.
• Later in 2017 the …
IoC
97c81d2a190d1f639aa90d27db3bd6a1
http://deck.31ventures.inf
http://deck.31ventures.info
http://deck.31ventures.inf
http://deck.31ventures.info