New RUSTBUCKET Malware With Zero Detections on VirusTotal

The DPRK campaign is utilizing a recently updated version of Rustbucket malware to avoid being detected.

This variant of RUSTBUCKET, targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines.

The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023. 

The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue.

RUSTBUCKET Malware Infection Chain

As per the research RUSTBUCKET family of malware is under active development. Additionally, at the time of publication, this new variant has zero detections on VirusTotal and is leveraging a dynamic network infrastructure methodology for command and control.

The command /usr/bin/osascript  has been used to execute the AppleScript which is responsible for downloading  Stage 2 binary from the C2 using cURL. 

This session includes the string pd in the body of the HTTP request and cur1-agent as the User-Agent string which saves the Stage 2 binary to /users/shared/.pd, 

The Stage 2 binary (.pd) is compiled in Swift and operates based on command-line arguments. The binary expects a C2 URL to be provided as the first parameter when executed. 

Upon execution, it invokes the downAndExec function, which is responsible for preparing a POST HTTP request. 

To initiate this request, the binary sets the User-Agent string as mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) and includes the string pw in the body of the HTTP request.

During execution, the malware utilizes specific macOS APIs for various operations. It begins with NSFileManager’s temporaryDirectory function to obtain the current temporary folder, then generates a random UUID using NSUUID’s UUID.init method. 

Finally, the malware combines the temporary directory path with the generated UUID to create a unique file location and writes the payload to it.

Once the payload is written to disk, the malware utilizes NSTask to initiate its execution.

Gathers System Information

The malware initiates its operations by dynamically generating a 16-byte random value at runtime. This value serves as a distinctive identifier for the specific instance of the active malware. Subsequently, the malware proceeds to gather comprehensive system information, including:

• Computer name
• List of active processes
• Current timestamp
• Installation timestamp
• System boot time
• Status of all running processes within the system

The malware establishes its initial connection to the C2 server by transmitting the gathered data via a POST request. The request is accompanied by a User-Agent string formatted as Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).

Upon receiving the request, the C2 server responds with a command ID, which serves as an instruction for the malware. The malware is designed to handle only two commands.

Command ID 0x31-to self-terminate

Command ID 0x30-This command enables the operator to upload malicious Mach-O binaries or shell scripts to the system and execute them.

The malware proceeds by granting execution permissions to the uploaded file using the chmod API.After executing the payload, the malware sends a status update to the server, notifying it of the completed execution, and then sleeps for 60 seconds. 

Following this delay, the malware loops to collect system information once again and remains in a waiting state, anticipating the arrival of the next command from the server.

The multi-stage composition of the malware, in addition to the use of Rust programming language and the targeting of macOS, make detection and prevention a significant challenge. 

Indicator of compromise:

9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747

7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387

ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41

de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500

4f49514ab1794177a61c50c63b93b903c46f9b914c32ebe9c96aa3cbc1f99b16

fe8c0e881593cc3dfa7a66e314b12b322053c67cbc9b606d5a2c0a12f097ef69

7887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8

“AI-based email security measures Protect your business From Email Threats!” – .