BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
Contents
|
|
Back in April, researchers at JAMF detailed a sophisticated APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket’, as they labeled it, was attributed with strong confidence to the BlueNoroff APT, generally assumed to be a subsidiary of the wider DPRK cyber attack group known as Lazarus.
In May, ESET tweeted details of a second RustBucket variant targeting macOS users, followed in June by Elastic’s discovery of a third variant that included previously unseen persistence capabilities.
RustBucket is noteworthy for the range and type of anti-evasion and anti-analysis measures seen in various stages of the malware. In this post, we review the multiple malware payloads used in the campaign and highlight the novel techniques RustBucket deploys to evade analysis and detection.
RustBucket Stage 1 | AppleScript Dropper
The attack begins with an Applet that masquerades as a PDF …
|
Back in April, researchers at JAMF detailed a sophisticated APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket’, as they labeled it, was attributed with strong confidence to the BlueNoroff APT, generally assumed to be a subsidiary of the wider DPRK cyber attack group known as Lazarus.
In May, ESET tweeted details of a second RustBucket variant targeting macOS users, followed in June by Elastic’s discovery of a third variant that included previously unseen persistence capabilities.
RustBucket is noteworthy for the range and type of anti-evasion and anti-analysis measures seen in various stages of the malware. In this post, we review the multiple malware payloads used in the campaign and highlight the novel techniques RustBucket deploys to evade analysis and detection.
RustBucket Stage 1 | AppleScript Dropper
The attack begins with an Applet that masquerades as a PDF …
IoC
0738687206a88ecbee176e05e0518effa4ca4166
0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be
0df7e1d3b3d54336d986574441778c827ff84bf2
182760cbe11fa0316abfb8b7b00b63f83159f5aa
27b101707b958139c32388eb4fd79fcd133ed880
338af1d91b846f2238d5a518f951050f90693488
3cc19cef767dee93588525c74fe9c1f1bf6f8007
469236d0054a270e117a2621f70f2a494e7fb823
5304031dc990790a26184b05b3019b2c5fa7022a
574bbb76ef147b95dfdf11069aaaa90df968e542
5933f1a20117d48985b60b10b5e42416ac00e018
69f24956fb75beb9b93ef974d873914500e35601
72167ec09d62cdfb04698c3f96a6131dceb24a9c
7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa
7e1870a5b24c78a5e357568969aae3a5e7ab857d
7e69cb4f9c37fad13de85e91b5a05a816d14f490
7f8f43326f1ce505a8cd9f469a2ded81fa5c81be
7f9694b46227a8ebc67745e533bc0c5f38fdfa59
831dc7bc4a234907d94a889bcb60b7bedf1a1e13
89301dfdc5361f1650796fecdac30b7d86c65122
8a1b32ab8c2a889985e530425ae00f4428c575cc
8e7b4a0d9a73ec891edf5b2839602ccab4af5bdf
9121509d674091ce1f5f30e9a372b5dcf9bcd257
963a86aab1e450b03d51628797572fe9da8410a2
9676f0758c8e8d0e0d203c75b922bcd0aeaa0873
9a5f6a641cc170435f52c6a759709a62ad5757c7
a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0
a7f5bf893efa3f6b489efe24195c05ff87585fe3
ac08406818bbf4fe24ea04bfd72f747c89174bdb
acf1b5b47789badb519ff60dc93afa9e43bbb376
b02922869e86ad06ff6380e8ec0be8db38f5002b
b74702c9b82f23ebf76805f1853bc72236bee57c
be234cb6819039d6a1d3b1a205b9f74b6935bbcc
ca59874172660e6180af2815c3a42c85169aa0b2
cd8f41b91e8f1d8625e076f0a161e46e32c62bbf
d5971e8a3e8577dbb6f5a9aad248c842a33e7a26
d9f1392fb7ed010a0ecc4f819782c179efde9687
dabb4372050264f389b8adcf239366860662ac52
e0e42ac374443500c236721341612865cd3d1eec
e2bcdfbda85c55a4d6070c18723ba4adb7631807
e7158bb75adf27262ec3b0f2ca73c802a6222379
ed4f16b36bc47a701814b63e30d8ea7a226ca906
fd1cef5abe3e0c275671916a1f3a566f13489416
http://cloud.dnx.capital
http://crypto.hondchain.com
[email protected]
0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be
0df7e1d3b3d54336d986574441778c827ff84bf2
182760cbe11fa0316abfb8b7b00b63f83159f5aa
27b101707b958139c32388eb4fd79fcd133ed880
338af1d91b846f2238d5a518f951050f90693488
3cc19cef767dee93588525c74fe9c1f1bf6f8007
469236d0054a270e117a2621f70f2a494e7fb823
5304031dc990790a26184b05b3019b2c5fa7022a
574bbb76ef147b95dfdf11069aaaa90df968e542
5933f1a20117d48985b60b10b5e42416ac00e018
69f24956fb75beb9b93ef974d873914500e35601
72167ec09d62cdfb04698c3f96a6131dceb24a9c
7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa
7e1870a5b24c78a5e357568969aae3a5e7ab857d
7e69cb4f9c37fad13de85e91b5a05a816d14f490
7f8f43326f1ce505a8cd9f469a2ded81fa5c81be
7f9694b46227a8ebc67745e533bc0c5f38fdfa59
831dc7bc4a234907d94a889bcb60b7bedf1a1e13
89301dfdc5361f1650796fecdac30b7d86c65122
8a1b32ab8c2a889985e530425ae00f4428c575cc
8e7b4a0d9a73ec891edf5b2839602ccab4af5bdf
9121509d674091ce1f5f30e9a372b5dcf9bcd257
963a86aab1e450b03d51628797572fe9da8410a2
9676f0758c8e8d0e0d203c75b922bcd0aeaa0873
9a5f6a641cc170435f52c6a759709a62ad5757c7
a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0
a7f5bf893efa3f6b489efe24195c05ff87585fe3
ac08406818bbf4fe24ea04bfd72f747c89174bdb
acf1b5b47789badb519ff60dc93afa9e43bbb376
b02922869e86ad06ff6380e8ec0be8db38f5002b
b74702c9b82f23ebf76805f1853bc72236bee57c
be234cb6819039d6a1d3b1a205b9f74b6935bbcc
ca59874172660e6180af2815c3a42c85169aa0b2
cd8f41b91e8f1d8625e076f0a161e46e32c62bbf
d5971e8a3e8577dbb6f5a9aad248c842a33e7a26
d9f1392fb7ed010a0ecc4f819782c179efde9687
dabb4372050264f389b8adcf239366860662ac52
e0e42ac374443500c236721341612865cd3d1eec
e2bcdfbda85c55a4d6070c18723ba4adb7631807
e7158bb75adf27262ec3b0f2ca73c802a6222379
ed4f16b36bc47a701814b63e30d8ea7a226ca906
fd1cef5abe3e0c275671916a1f3a566f13489416
http://cloud.dnx.capital
http://crypto.hondchain.com
[email protected]