Security experts have warned that Apple devices are being targeted with a new malware variant posing as a fake macOS PDF viewer.
Cybersecurity researchers from Jamf Threat Labs have published a report in which they detail a new Apple macOS malware strain dubbed RustBucket.
RustBucket is essentially a loader, used to deliver stage-two malware to target endpoints. It is being distributed under the filename “Internal PDF Viewer” and while the researchers don’t discuss distribution channels, it’s safe to assume it’s being sent via phishing emails and malicious websites.
Three-stage attack
The caveat with RustBucket is that in order to work - the victim needs to manually override Gatekeeper protections. If they do that, they risk getting a second-stage payload, written in Objective-C which, in turn, delivers the final payload - Mach-O executable written in Rust. This malware, the researchers said, can run system reconnaissance commands.
"This PDF viewer technique used by the attacker is a clever one," the researchers said. "At this point, in order to perform analysis, not only do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to execute the malicious code within the application."
The threat actor behind this campaign is called BlueNoroff - sometimes also referred to as APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, or TA444.
In reality, the group is a part of the Lazarus Group, an infamous state-sponsored threat actor from North Korea. Lazarus is one of the world’s most well-known threat actors responsible for, among other things, the Harmony bridge attack that occurred in June 2022. That attack against the popular crypto business resulted in the theft of some $100 million in various cryptocurrencies.
Lazarus was also behind an attack on the Ronin bridge that took place earlier in 2022, where the group stole $625 million in various cryptocurrencies.
- Check out the best endpoint protection services
Via: The Hacker News
