Rustbucket

Malware updated 2 months ago (2024-09-10T03:17:45.773Z)

Download STIX

Preview STIX

RustBucket is a malicious software (malware) campaign that was first reported in 2023 and has been attributed to the BlueNoroff group, which was initially discovered in 2021. This malware specifically targets macOS systems and is considered a later-stage variant of the original RustBucket malware due to their similar characteristics. The malware operates in multiple stages and is often spread via an application disguised as a PDF viewer. Since its initial discovery, various variants of RustBucket have been observed, indicating ongoing development and adaptation by its creators. In April 2024, the North Korea-linked Advanced Persistent Threat (APT) group, BlueNoroff, was observed utilizing a new variant of the RustBucket malware. Then, in July 2023, researchers from Elastic Security Labs spotted another variant of the RustBucket malware. Notably, experts have found similarities between the RustBucket malware and another malware known as ObjCShellz, suggesting possible shared origins or techniques. To combat this threat, prevention and detection alerts for RustBucket, along with other types of malware such as KANDYKORN, SmoothOperator, ObjCShellz, Fullhouse, POOLRAT, PondRAT, OdicLoader, Comebacker, and CollectionRAT, have been implemented. Cortex XDR has shown effectiveness in blocking RustBucket samples from downloading subsequent stages of malware, thus mitigating potential damage. Jamf Threat Labs reported attackers using RustBucket as part of their campaigns, underscoring the ongoing threat posed by this malware.

Description last updated: 2024-09-10T03:16:50.441Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Objcshellz is a possible alias for Rustbucket. ObjCShellz is a lightweight malware written in Objective-C, known for its advanced obfuscation features. Discovered by Jamf Threat Labs in November 2023, this malware operates as a relatively simple backdoor, serving as a remote shell that allows an attacker to execute arbitrary commands. It's typic	4
Swiftloader is a possible alias for Rustbucket. SwiftLoader is a sophisticated malware that functions as a PDF viewer to lure unsuspecting victims. It was initially used in the RustBucket campaign, where it served as a second-stage malware, infecting systems through seemingly innocent downloads such as documents sent to targets. Notably, SwiftLoa	2
Kandykorn is a possible alias for Rustbucket. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Macos

Malware

Jamf

Apt

Loader

Backdoor

Windows

AppleScript

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Bluenoroff Threat Actor is associated with Rustbucket. BlueNoroff, a financially motivated threat actor closely associated with the Lazarus group, is a Korean-speaking entity known for targeting banks, casinos, fintech companies, POST software, cryptocurrency businesses, and ATMs. According to Kaspersky Labs, this subgroup of the Lazarus hacking group h	Unspecified	5

Source Document References

Information about the Rustbucket Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
Securityaffairs	10 months ago	Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
CERT-EU	a year ago	BlueNoroff: New Malware Attacking MacOS Users
CERT-EU	a year ago	BlueNoroff: new Trojan attacking macOS users – GIXtools
CERT-EU	a year ago	New BlueNoroff loader for macOS
CERT-EU	a year ago	North Korean Hackers Now Merging macOS Malware Strains
CERT-EU	a year ago	North Korean hackers evolve their techniques by mixing malware from previous campaigns
CERT-EU	a year ago	DPRK hackers take aim at macOS by blending malware
CERT-EU	a year ago	DPRK Crypto Theft \| macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads
DARKReading	a year ago	macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks
CERT-EU	a year ago	N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection
Securityaffairs	a year ago	North Korea-linked APT Sapphire Sleet targets IT job seekers
CERT-EU	a year ago	Unveiling ObjCShellz: BlueNoroff's Latest macOS Malware
CERT-EU	a year ago	New 'ObjCShellz' malware allows hackers to remotely control a Mac
CERT-EU	a year ago	BlueNoroff APT Targets macOS with new RustBucket Malware Variant
CERT-EU	a year ago	Lazarus-Linked BlueNoroff APT Targets macOS with ObjCShellz Malware
Securityaffairs	a year ago	North Korea-linked APT BlueNoroff used new macOS malware ObjCShellz
CERT-EU	a year ago	North Korea-linked APT BlueNoroff used new macOS malware ObjCShellz
CERT-EU	a year ago	North Korea-linked BlueNoroff's macOS malware variant targets financial firms
CERT-EU	a year ago	BlueNoroff hackers backdoor Macs with new ObjCShellz malware