Rustbucket

Malware updated 4 months ago (2024-05-04T18:16:43.376Z)

Download STIX

Preview STIX

RustBucket is a malicious software (malware) campaign that was first uncovered in 2021 and attributed to BlueNoroff, a North Korea-linked Advanced Persistent Threat (APT) group. The malware is known for its ability to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. RustBucket primarily targets macOS devices, spreading its malicious payload via an app disguised as a PDF viewer. In April 2024, the security firm Jamf observed BlueNoroff using a new macOS malware variant, dubbed RustBucket. In July 2023, researchers from Elastic Security Labs spotted a new variant of the RustBucket Apple macOS malware. A subsequent discovery in December 2023 revealed a new Trojan attacking macOS users, also associated with the BlueNoroff APT group and their ongoing RustBucket campaign. This discovery included a new type of malicious loader targeting macOS, which experts believe is linked to the RustBucket campaign. Another malware, ObjCShellz, was identified as part of the RustBucket campaign due to its similarities with other RustBucket variants. The Lazarus Group, another North Korean hacker collective, has reportedly leveraged a key component of the RustBucket campaign, SwiftLoader, to distribute the KANDYKORN malware. SentinelOne, a cybersecurity company, has confirmed protection for its customers from both KandyKorn and RustBucket malware. The RustBucket campaign is characterized by its deployment of a backdoored version of a PDF reader app called SwiftLoader, further solidifying its focus on macOS systems.

Description last updated: 2024-05-04T16:39:47.185Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Objcshellz	3	ObjCShellz is a lightweight but advanced malware written in Objective-C, identified by researchers from Jamf Threat Labs in November 2023. This malicious software is designed to infiltrate macOS systems and enable remote execution of commands by attackers. It is characterized by its advanced obfusca
Swiftloader	2	SwiftLoader is a sophisticated malware that functions as a PDF viewer to lure unsuspecting victims. It was initially used in the RustBucket campaign, where it served as a second-stage malware, infecting systems through seemingly innocent downloads such as documents sent to targets. Notably, SwiftLoa
Kandykorn	2	KandyKorn is a new strain of malware that has recently been identified as an emerging threat to the technology sector, particularly targeting blockchain engineers. The malicious software, which is designed to infiltrate and damage computer systems, often enters undetected through suspicious download

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Macos

Malware

Jamf

Apt

Loader

Backdoor

Windows

AppleScript

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Bluenoroff	Unspecified	5	BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,

Source Document References

Information about the Rustbucket Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	8 months ago	Experts spotted a new macOS Backdoor named SpectralBlur linked to North Korea
CERT-EU	9 months ago	BlueNoroff: New Malware Attacking MacOS Users
CERT-EU	9 months ago	BlueNoroff: new Trojan attacking macOS users – GIXtools
CERT-EU	9 months ago	New BlueNoroff loader for macOS
CERT-EU	9 months ago	North Korean Hackers Now Merging macOS Malware Strains
CERT-EU	9 months ago	North Korean hackers evolve their techniques by mixing malware from previous campaigns
CERT-EU	9 months ago	DPRK hackers take aim at macOS by blending malware
CERT-EU	9 months ago	DPRK Crypto Theft \| macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads
DARKReading	9 months ago	macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks
CERT-EU	9 months ago	N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection
Securityaffairs	10 months ago	North Korea-linked APT Sapphire Sleet targets IT job seekers
CERT-EU	10 months ago	Unveiling ObjCShellz: BlueNoroff's Latest macOS Malware
CERT-EU	10 months ago	New 'ObjCShellz' malware allows hackers to remotely control a Mac
CERT-EU	10 months ago	BlueNoroff APT Targets macOS with new RustBucket Malware Variant
CERT-EU	10 months ago	Lazarus-Linked BlueNoroff APT Targets macOS with ObjCShellz Malware
Securityaffairs	10 months ago	North Korea-linked APT BlueNoroff used new macOS malware ObjCShellz
CERT-EU	10 months ago	North Korea-linked APT BlueNoroff used new macOS malware ObjCShellz
CERT-EU	10 months ago	North Korea-linked BlueNoroff's macOS malware variant targets financial firms
CERT-EU	10 months ago	BlueNoroff hackers backdoor Macs with new ObjCShellz malware
DARKReading	10 months ago	North Korea's BlueNoroff APT Debuts 'Dumbed Down' macOS Malware