New BlueNoroff loader for macOS
Contents
We recently discovered a new variety of malicious loader that targets macOS, presumably linked to the BlueNoroff APT gang and its ongoing campaign known as RustBucket. The threat actor is known to attack financial organizations, particularly companies, whose activity is in any way related to cryptocurrency, as well as individuals who hold crypto assets or take an interest in the subject. Information about the new loader variant first appeared in an X (formerly Twitter) post.
Earlier RustBucket versions spread its malicious payload via an app disguised as a PDF viewer. By contrast, this new variety was found inside a ZIP archive that contained a PDF file named, “Crypto-assets and their risks for financial stability”, with a thumbnail that showed a corresponding title page. The metadata preserved inside the ZIP archive suggests the app was created on October 21, 2023.
Exactly how the archive spread is unknown. The cybercriminals might have emailed it …
Earlier RustBucket versions spread its malicious payload via an app disguised as a PDF viewer. By contrast, this new variety was found inside a ZIP archive that contained a PDF file named, “Crypto-assets and their risks for financial stability”, with a thumbnail that showed a corresponding title page. The metadata preserved inside the ZIP archive suggests the app was created on October 21, 2023.
Exactly how the archive spread is unknown. The cybercriminals might have emailed it …
IoC
1fddf14984c6b57358401a4587e7b950
3b166c3b7dc4b751c9fe2afab9135641e388e186
3b3b3b9f7c71fcd7239abe90c97751c0
611e5b662c593a08ff58d14ae22452d198df6c60
80c1256f8bb2a9572e20dd480ac68759
90385d612877e9d360196770d73d22d6
b1e01ae0006f449781a05f4704546b34
d8011dcca570689d72064b156647fa82
da96876f9535e3946aff3875c5e5c05e48ecb49c
http://on-global.xyz
http://on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A==
http://on-global.xyz/Ov56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A==
3b166c3b7dc4b751c9fe2afab9135641e388e186
3b3b3b9f7c71fcd7239abe90c97751c0
611e5b662c593a08ff58d14ae22452d198df6c60
80c1256f8bb2a9572e20dd480ac68759
90385d612877e9d360196770d73d22d6
b1e01ae0006f449781a05f4704546b34
d8011dcca570689d72064b156647fa82
da96876f9535e3946aff3875c5e5c05e48ecb49c
http://on-global.xyz
http://on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A==
http://on-global.xyz/Ov56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A==