Rustbucket

Malware updated 10 days ago (2024-11-11T15:01:09.652Z)
Download STIX
Preview STIX
RustBucket is a malicious software (malware) specifically targeting macOS systems, first reported in 2023 and attributed to the North Korea-linked threat actor group, BlueNoroff. This malware was initially uncovered in 2021 as part of the RustBucket campaign and has since evolved into multiple variants with similar characteristics to BlueNoroff's original RustBucket variant. The malware is typically deployed in three stages, with most infections blocked by Cortex XDR during the download of the next stage. RustBucket is associated with a series of other malware campaigns including KANDYKORN, SmoothOperator, ObjCShellz, Fullhouse, POOLRAT, PondRAT, OdicLoader, Comebacker, and CollectionRAT. The RustBucket malware is part of a broader campaign named "Hidden Risk," primarily targeting cryptocurrency businesses. The threat actors use deceptive tactics such as fake cryptocurrency news emails and a malicious app disguised as a PDF to infiltrate systems. Notably, RustBucket features a cross-platform backdoor written in Rust, attributed to DPRK's Lazarus Group, with a macOS version first spotted in 2023. SentinelLabs researchers have identified similarities between RustBucket and the ObjCShellz malware, reinforcing the association with the BlueNoroff APT group. In April, security firm Jamf reported that the BlueNoroff APT group was using a new macOS malware dubbed RustBucket. By July 2023, Elastic Security Labs had identified a new variant of the RustBucket Apple macOS malware. To combat these threats, preventive measures and detection alerts have been implemented for each type of malware. Despite these efforts, the RustBucket campaign continues to pose a significant cybersecurity threat, particularly to organizations operating within the cryptocurrency sector.
Description last updated: 2024-11-11T14:43:42.235Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Objcshellz is a possible alias for Rustbucket. ObjCShellz is a lightweight malware written in Objective-C, known for its advanced obfuscation features. Discovered by Jamf Threat Labs in November 2023, this malware operates as a relatively simple backdoor, serving as a remote shell that allows an attacker to execute arbitrary commands. It's typic
4
Kandykorn is a possible alias for Rustbucket. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a
2
Swiftloader is a possible alias for Rustbucket. SwiftLoader is a sophisticated malware that functions as a PDF viewer to lure unsuspecting victims. It was initially used in the RustBucket campaign, where it served as a second-stage malware, infecting systems through seemingly innocent downloads such as documents sent to targets. Notably, SwiftLoa
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Macos
Malware
Jamf
Apt
Loader
Backdoor
Windows
AppleScript
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bluenoroff Threat Actor is associated with Rustbucket. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securiUnspecified
5
The Lazarus Group Threat Actor is associated with Rustbucket. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North KUnspecified
2
Source Document References
Information about the Rustbucket Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
14 days ago
BankInfoSecurity
21 days ago
Unit42
2 months ago
Securityaffairs
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago