RustBucket malware: A PDF could finish your Mac

Kerem Gülen
Jul 3, 2023

Cybersecurity research conducted by the illustrious team at Elastic Security Labs has brought to light a virulent new strain of the RustBucket malware, a notorious enemy of macOS-powered devices. It appears the cyber-nemesis has evolved, displaying an increased persistence on targeted endpoints and an unnerving ability to stealthily avoid antivirus programs.

The researchers reveal, "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed." The devious malware has also advanced its command-and-control infrastructure, subtly embedding itself within dynamic network systems.

Its mode of entry is decidedly straightforward: the unsuspecting victim downloads a seemingly innocent macOS installer file, little knowing it carries a malevolent passenger – a compromised PDF reader. The attack is activated when an ill-fated PDF file, cleverly weaponized, is opened using the tainted reader. Often delivered via phishing emails or masquerading as trustworthy links on social media platforms like LinkedIn, the RustBucket malware indeed presents a sinister threat.

RustBucket's distinctive persistence method, paired with its dynamic DNS domains for command-and-control, enables it to surpass most malware in its elusive nature.

"In the case of this updated RustBucket sample, it establishes its own persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/, and it copies the malware's binary to the following path /Users/<user>/Library/Metadata/System Update," the researchers elaborated.

This shrewd strategy ensures that the malware continues to lurk unseen, a constant menace to its host.

The preferred victims of this insidious malware, according to researchers, are predominantly financial institutions spanning Asia, Europe, and the U.S. This specialized targeting suggests a material motive behind the attack, indicating that the cybercriminals are in it for significant financial gain.

Image: Unsplash

Closer analysis points towards the culprits being BlueNoroff, a department within the infamous Lazarus Group. This shadowy group, an extension of the Reconnaissance General Bureau (RGB) — North Korea's primary intelligence agency, is notorious for executing highly profitable attacks against cryptocurrency businesses.

The group has amassed vast sums in stolen cryptocurrency and ransom money. The U.S. Treasury reported in June 2023 that Lazarus stole approximately $600 million in cryptocurrency and fiat currency this year alone from financial institutions and exchanges. That's a substantial increase from 2019's estimate of around $571.

A significant heist by Lazarus in June 2022 involved Harmony Bridge, a blockchain protocol that facilitates communication between different blockchains, thereby enabling tokens to migrate from one blockchain to another. This breach saw roughly $100 million evaporate from the protocol. The DeFi projects and bridges, although poorly designed and inadequately audited for security, manage vast funds, making them tempting targets for malicious attacks.

Researchers surmise that North Korea employs Lazarus to mitigate the economic impact of international sanctions. Some even propose that the ill-gotten wealth amassed through Lazarus’ operations might be channeled into developing and manufacturing nuclear weapons.

RustBucket's focus on macOS devices is particularly interesting. Traditionally, threat actors tend to target Windows or Linux devices, due to their wider use and numerous vulnerabilities. In 2020, over 83% of all malware targeted Windows devices, while macOS fell under the 'other' category, accounting for a mere 1.91% of targeted devices.

What does the cybersecurity community make of RustBucket and Lazarus?

David Sehyeon Baek, a prominent cybersecurity researcher, asserted via LinkedIn that Lazarus's long history of macOS attacks suggests other Advanced Persistent Threat (APT) groups may follow their lead. He warns, “The emergence of RustBucket highlights the evolving landscape of cyber threats and the need for heightened cybersecurity measures, particularly within the macOS environment.” Baek emphasizes the need for constant vigilance, particularly when downloading and executing applications from unverified sources.

However, opinions on Lazarus' proficiency vary within the cybersecurity community. In an enlightening discussion on the /hacking/ subreddit, one user argued that Lazarus is “not really [skilled] for a state actor,” with another adding a provocative point: “if you know about them, they are not top hackers.” However, others strongly disagree, praising the North Korean hackers' expertise, especially when it comes to infiltrating crypto exchanges and pilfering cryptocurrency as a means to circumvent financial sanctions. Skilled or not, Lazarus consistently features in media headlines, testament to the widespread impact of their cybercriminal activities.

Among the group's most notorious exploits is the attack on the Ronin bridge, which saw a staggering $625 million in crypto stolen. They have also been implicated in the creation of the DTrack backdoor, the compromise of various open-source software utilized by a multitude of enterprises and SMBs, the weaponization of Dell drivers, and the exploitation of the log4j flaw to target US energy companies.

RustBucket's evolution, bolstered by Lazarus's shadowy machinations, signifies a considerable shift in the cybersecurity landscape, one that necessitates heightened vigilance and stringent protective measures, especially in the macOS ecosystem. The persistent development of such threats underscores the vital need for ongoing cybersecurity research, ultimately emphasizing the age-old adage: knowledge is power.

Read also: Alleged Chinese malware targets your router


Previous Post: «
Next Post: «


  1. Mohamed Riyad Mohamed said on July 10, 2023 at 10:35 pm

    how i can scan to my pc

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.