Bluenoroff’s RustBucket campaign
Contents
Like DPRK soldiers
In April 2023, fellow security researchers at Jamf published a report on Bluenoroff’s RustBucket, a newly observed malware targeting macOS platform. Sekoia.io analysts further investigated Bluenoroff’s infrastructure and share their findings in this report.
Bluenoroff is a North Korea-nexus intrusion set, allegedly subordinated to RGB’s Bureau 121 tasked with revenue generation since at least 2015. Since 2017, Bluenoroff was observed conducting financially-driven campaigns targeting cryptocurrency exchanges and venture capital related entities in Europe, Asia, the U.S. and the UAE.
Since the end of 2021 and through 2022, Bluenoroff continuously used the same TTPs. However, Sekoia.io analysts observed recent modifications, as described in the report previously referenced.
Bluenoroff’s gone macOS
Since at least December 2022, Bluenoroff was observed leveraging RustBucket, a Rust and Objective-C written malware targeting macOS running systems. This recent Bluenoroff activity illustrates how intrusion sets turn to cross-platform language in their malware development efforts, further expanding their capabilities highly likely …
In April 2023, fellow security researchers at Jamf published a report on Bluenoroff’s RustBucket, a newly observed malware targeting macOS platform. Sekoia.io analysts further investigated Bluenoroff’s infrastructure and share their findings in this report.
Bluenoroff is a North Korea-nexus intrusion set, allegedly subordinated to RGB’s Bureau 121 tasked with revenue generation since at least 2015. Since 2017, Bluenoroff was observed conducting financially-driven campaigns targeting cryptocurrency exchanges and venture capital related entities in Europe, Asia, the U.S. and the UAE.
Since the end of 2021 and through 2022, Bluenoroff continuously used the same TTPs. However, Sekoia.io analysts observed recent modifications, as described in the report previously referenced.
Bluenoroff’s gone macOS
Since at least December 2022, Bluenoroff was observed leveraging RustBucket, a Rust and Objective-C written malware targeting macOS running systems. This recent Bluenoroff activity illustrates how intrusion sets turn to cross-platform language in their malware development efforts, further expanding their capabilities highly likely …
IoC
07d206664a8d397273e69ce37ef7cf933c22e93b62d95b673d6e835876feba06
0d6964fe763c2e6404cde68af2c5f86d34cf50a88bd81bc06bba739010821db0
104.156.149.130
104.168.138.7
104.168.167.88
104.168.174.80
104.234.147.28
104.255.172.52
104.255.172.56
149.248.52.31
149.28.247.34
152.89.247.87
155.138.159.45
155.138.219.140
172.86.121.130
172.86.121.143
172.86.122.181
172.93.181.221
31cec2803bfc7750930d5864400388732a822da96c3f79c98ddee03949aa6a2d
38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880
3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e
3ed9f34fedca38130776e5adabae363ac797fe89087e04e0c93d83fd62a7a9a4
3f0d5ddca2657044f4763ae53c4f33c8a7814ba451b60d24430a126674125624
46db9f2fc879bf643a8f05e2b35879b235cbb04aa06fe548f0bc7c7c02483cf3
4e05597d308d2368625dc19e86a9ca22
5072b28399c874f92e71793fa13207d946a28a2f5903365ac11ddf666d15d086
529c65521e8a07c8810b6d225f7e2a89
5c483473641807082e530744023044fd
5ca7c871dfe24b27b5cf7e9bf087f44c7620d78a1d4fa76373f22abedbdf8f82
5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7
606bce13161693844b9eb36c96554883
61772375af1884fe73c5d154b8637dd62f26d23bc38d18462a88e2bbed483fd7
62a5c6a600051bca4f7b3d11508ca1f968006b71089c71bf87b83ea8b34188e3
6ca3a2f4cef27dac9d28c1ec2b29a8fa09dfc6dbbaf58e00dddbf5c1dd3b3cc3
7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407
7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48
7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387
83f457bc81514ec5e3ea123fc237811a36da6ce7f975ad56d62e34af4d1f37c0
8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe
9525f5081a5a7ab7d35cf2fb2d7524e0777e37fe3df62730e1e7de50506850f7
9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
b3cb7d0b656e8e4852def8548d2cf1edc4e64116434e1f2d9c9b150ee0f9861e
b448381f244dc0072abd4f52e01ca93efaebb2c0a8ea8901c4725ecb1b2b0656
b68bf400a23b1053f54911a2b826d341f6bf87c26bea5e6cf21710ee569a7aab
b93d7b7b30207249c1c683df16bad107
ba5e982596fd03bea98f5de96c1258e56327358e134ceecd1d68e54480533d92
bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49
c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197
c56a97efd6d3470e14193ac9e194fa46d495e3dddc918219cca530b90f01d11e
ca86579220eecfaede268d1520d07fae
d6d367453c513445313be7339666e4faeeebeae71620c187012ea5ae2901df34
dda8a9e2a2e415be781a39fdf41f1551af2344f1b1a0ddf921d8aeba90343d1b
e2f177b8806923f21a93952b61aedbeb02d829a67a820a7aab5ee72512e3d646
e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c
ea5fac3201a09c3c5c3701723ea9a5fec8bbc4f1f236463d651303f40a245452
ebad7317e1b01c2231bdbf37dfebdf656e3c8706e719fd37b66f0170b3d5cae0
ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41
f603713bffb9e040bedfd0bb675ff5a6b3205d8bd4e1a3309ea6d1b608871184
f8800dd176487601ccf2e27c094b297b
f90b544f89cfbe38aee18024d7c39e40
ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b
http://104.156.149.130
http://104.168.167.88
http://104.168.174.80
http://104.234.147.28
http://104.255.172.56
http://149.248.52.31
http://149.28.247.34
http://152.89.247.87
http://155.138.219.140
http://172.86.121.130
http://172.86.121.143
http://172.86.122.181
http://172.93.181.221
http://cloud.dnx.capital
http://laos.hedgehogvc.us
http://safe.doc-share.cloud
http://sarahbeery.docsend.me
https://tinyurl.com/5n7f56a8
rule apt_Bluenoroff_downloader_mac_RustBucket { meta: id ="5a003b68-ad9a-47f9-b157-dd898181dac2" version = "1.0" malware = "RustBucket" description = "RustBucket fake PDF reader" source = "SEKOIA" creation_date = "2023-04-24" classification = "TLP:WHITE" reference = "https://tinyurl.com/5n7f56a8" hash = "606bce13161693844b9eb36c96554883" hash = "b93d7b7b30207249c1c683df16bad107" hash = "ca86579220eecfaede268d1520d07fae" hash = "f8800dd176487601ccf2e27c094b297b" strings: $down_exec1 = "_down_update_run" nocase $down_exec2 = "downAndExec" nocase $encrypt1 = "_encrypt_pdf" $encrypt2 = "_encrypt_data" $error_msg1 = "_alertErr" $error_msg2 = "_show_error_msg" $view_pdf1 = "-[PEPWindow view_pdf:]" $view_pdf2 = "-[PEPWindow viewPDF:]" condition: (uint32be(0) == 0xcafebabe or uint32be(0) == 0xcffaedfe) and 5 of them and filesize > 50KB }
rule apt_Bluenoroff_downloader_win_curl_agent: TESTING { meta: id = "ddeb2d8f-1b10-4a33-b768-d19412e8551a" version = "1.0" intrusion_set = "Bluenoroff" description = "Detect the downloader used by Bluenoroff to install it CurlAgent" source = "SEKOIA" creation_date = "2023-05-02" classification = "TLP:WHITE" strings: $ = "%s\\marcoor.dll" wide $ = "curl -A cur1-agent -L %s -s -d dl" $ = "curl -A cur1-agent -L %s -s -d da" $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide condition: 3 of them }
0d6964fe763c2e6404cde68af2c5f86d34cf50a88bd81bc06bba739010821db0
104.156.149.130
104.168.138.7
104.168.167.88
104.168.174.80
104.234.147.28
104.255.172.52
104.255.172.56
149.248.52.31
149.28.247.34
152.89.247.87
155.138.159.45
155.138.219.140
172.86.121.130
172.86.121.143
172.86.122.181
172.93.181.221
31cec2803bfc7750930d5864400388732a822da96c3f79c98ddee03949aa6a2d
38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880
3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e
3ed9f34fedca38130776e5adabae363ac797fe89087e04e0c93d83fd62a7a9a4
3f0d5ddca2657044f4763ae53c4f33c8a7814ba451b60d24430a126674125624
46db9f2fc879bf643a8f05e2b35879b235cbb04aa06fe548f0bc7c7c02483cf3
4e05597d308d2368625dc19e86a9ca22
5072b28399c874f92e71793fa13207d946a28a2f5903365ac11ddf666d15d086
529c65521e8a07c8810b6d225f7e2a89
5c483473641807082e530744023044fd
5ca7c871dfe24b27b5cf7e9bf087f44c7620d78a1d4fa76373f22abedbdf8f82
5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7
606bce13161693844b9eb36c96554883
61772375af1884fe73c5d154b8637dd62f26d23bc38d18462a88e2bbed483fd7
62a5c6a600051bca4f7b3d11508ca1f968006b71089c71bf87b83ea8b34188e3
6ca3a2f4cef27dac9d28c1ec2b29a8fa09dfc6dbbaf58e00dddbf5c1dd3b3cc3
7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407
7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48
7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387
83f457bc81514ec5e3ea123fc237811a36da6ce7f975ad56d62e34af4d1f37c0
8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe
9525f5081a5a7ab7d35cf2fb2d7524e0777e37fe3df62730e1e7de50506850f7
9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
b3cb7d0b656e8e4852def8548d2cf1edc4e64116434e1f2d9c9b150ee0f9861e
b448381f244dc0072abd4f52e01ca93efaebb2c0a8ea8901c4725ecb1b2b0656
b68bf400a23b1053f54911a2b826d341f6bf87c26bea5e6cf21710ee569a7aab
b93d7b7b30207249c1c683df16bad107
ba5e982596fd03bea98f5de96c1258e56327358e134ceecd1d68e54480533d92
bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49
c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197
c56a97efd6d3470e14193ac9e194fa46d495e3dddc918219cca530b90f01d11e
ca86579220eecfaede268d1520d07fae
d6d367453c513445313be7339666e4faeeebeae71620c187012ea5ae2901df34
dda8a9e2a2e415be781a39fdf41f1551af2344f1b1a0ddf921d8aeba90343d1b
e2f177b8806923f21a93952b61aedbeb02d829a67a820a7aab5ee72512e3d646
e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c
ea5fac3201a09c3c5c3701723ea9a5fec8bbc4f1f236463d651303f40a245452
ebad7317e1b01c2231bdbf37dfebdf656e3c8706e719fd37b66f0170b3d5cae0
ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41
f603713bffb9e040bedfd0bb675ff5a6b3205d8bd4e1a3309ea6d1b608871184
f8800dd176487601ccf2e27c094b297b
f90b544f89cfbe38aee18024d7c39e40
ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b
http://104.156.149.130
http://104.168.167.88
http://104.168.174.80
http://104.234.147.28
http://104.255.172.56
http://149.248.52.31
http://149.28.247.34
http://152.89.247.87
http://155.138.219.140
http://172.86.121.130
http://172.86.121.143
http://172.86.122.181
http://172.93.181.221
http://cloud.dnx.capital
http://laos.hedgehogvc.us
http://safe.doc-share.cloud
http://sarahbeery.docsend.me
https://tinyurl.com/5n7f56a8
rule apt_Bluenoroff_downloader_mac_RustBucket { meta: id ="5a003b68-ad9a-47f9-b157-dd898181dac2" version = "1.0" malware = "RustBucket" description = "RustBucket fake PDF reader" source = "SEKOIA" creation_date = "2023-04-24" classification = "TLP:WHITE" reference = "https://tinyurl.com/5n7f56a8" hash = "606bce13161693844b9eb36c96554883" hash = "b93d7b7b30207249c1c683df16bad107" hash = "ca86579220eecfaede268d1520d07fae" hash = "f8800dd176487601ccf2e27c094b297b" strings: $down_exec1 = "_down_update_run" nocase $down_exec2 = "downAndExec" nocase $encrypt1 = "_encrypt_pdf" $encrypt2 = "_encrypt_data" $error_msg1 = "_alertErr" $error_msg2 = "_show_error_msg" $view_pdf1 = "-[PEPWindow view_pdf:]" $view_pdf2 = "-[PEPWindow viewPDF:]" condition: (uint32be(0) == 0xcafebabe or uint32be(0) == 0xcffaedfe) and 5 of them and filesize > 50KB }
rule apt_Bluenoroff_downloader_win_curl_agent: TESTING { meta: id = "ddeb2d8f-1b10-4a33-b768-d19412e8551a" version = "1.0" intrusion_set = "Bluenoroff" description = "Detect the downloader used by Bluenoroff to install it CurlAgent" source = "SEKOIA" creation_date = "2023-05-02" classification = "TLP:WHITE" strings: $ = "%s\\marcoor.dll" wide $ = "curl -A cur1-agent -L %s -s -d dl" $ = "curl -A cur1-agent -L %s -s -d da" $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide condition: 3 of them }