The DPRK strikes using a new variant of RUSTBUCKET
Contents
A DPRK campaign using a new variant of the RUSTBUCKET malware is underway with updated capabilities and reduced signature detection.
- The RUSTBUCKET malware family is in an active development phase, adding built-in persistence and focusing on signature reduction.
- REF9135 actors are continually shifting their infrastructure to evade detection and response.
- The DPRK continues financially motivated attacks against cryptocurrency service providers.
- If you are running Elastic Defend, you are protected from REF9135
The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023.
This variant of RUSTBUCKET, a malware family that targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines. Elastic Defend behavioral and prebuilt detection rules provide protection and visibility for users. We have also released a signature to …
- The RUSTBUCKET malware family is in an active development phase, adding built-in persistence and focusing on signature reduction.
- REF9135 actors are continually shifting their infrastructure to evade detection and response.
- The DPRK continues financially motivated attacks against cryptocurrency service providers.
- If you are running Elastic Defend, you are protected from REF9135
The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023.
This variant of RUSTBUCKET, a malware family that targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines. Elastic Defend behavioral and prebuilt detection rules provide protection and visibility for users. We have also released a signature to …
IoC
1031871a8bb920033af87078e4a418ebd30a5d06152cd3c2c257aecdf8203ce6
104.168.167.88
4f49514ab1794177a61c50c63b93b903c46f9b914c32ebe9c96aa3cbc1f99b16
64.44.141.15
788261d948177acfcfeb1f839053c8ee9f325bd6fb3f07637a7465acdbbef76a
7887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8
7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387
9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500
ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41
fe8c0e881593cc3dfa7a66e314b12b322053c67cbc9b606d5a2c0a12f097ef69
http://104.168.167.88
http://64.44.141.15
http://companydeck.online
http://companydesk.online
http://crypto.hondchain.com
http://docsend.linkpc.net
http://jaicvc.com
http://starbucls.xyz
http://webhostwatto.work.gd
104.168.167.88
4f49514ab1794177a61c50c63b93b903c46f9b914c32ebe9c96aa3cbc1f99b16
64.44.141.15
788261d948177acfcfeb1f839053c8ee9f325bd6fb3f07637a7465acdbbef76a
7887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8
7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387
9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500
ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41
fe8c0e881593cc3dfa7a66e314b12b322053c67cbc9b606d5a2c0a12f097ef69
http://104.168.167.88
http://64.44.141.15
http://companydeck.online
http://companydesk.online
http://crypto.hondchain.com
http://docsend.linkpc.net
http://jaicvc.com
http://starbucls.xyz
http://webhostwatto.work.gd