Apple devices targeted by fake macOS PDF viewer that's just malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Security experts have warned that Apple devices are being targeted with a new malware variant posing as a fake macOS PDF viewer.

Cybersecurity researchers from Jamf Threat Labs have published a report in which they detail a new Apple macOS malware strain dubbed RustBucket. 

RustBucket is essentially a loader, used to deliver stage-two malware to target endpoints. It is being distributed under the filename “Internal PDF Viewer” and while the researchers don’t discuss distribution channels, it’s safe to assume it’s being sent via phishing emails and malicious websites.

Three-stage attack

The caveat with RustBucket is that in order to work - the victim needs to manually override Gatekeeper protections. If they do that, they risk getting a second-stage payload, written in Objective-C which, in turn, delivers the final payload - Mach-O executable written in Rust. This malware, the researchers said, can run system reconnaissance commands.

"This PDF viewer technique used by the attacker is a clever one," the researchers said. "At this point, in order to perform analysis, not only do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to execute the malicious code within the application."

The threat actor behind this campaign is called BlueNoroff - sometimes also referred to as APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, or TA444. 

In reality, the group is a part of the Lazarus Group, an infamous state-sponsored threat actor from North Korea. Lazarus is one of the world’s most well-known threat actors responsible for, among other things, the Harmony bridge attack that occurred in June 2022. That attack against the popular crypto business resulted in the theft of some $100 million in various cryptocurrencies.

Lazarus was also behind an attack on the Ronin bridge that took place earlier in 2022, where the group stole $625 million in various cryptocurrencies.

Via: The Hacker News

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.