The Mac Security Blog

Malware

RustBucket: APT group targets Macs with PDF Trojan malware

Posted on by

An advanced persistent threat (APT) group known as BlueNoroff is reportedly targeting Macs with a new malware family. BlueNoroff is believed to have ties to Lazarus Group, which has developed a variety of Mac malware in recent years. Both APT groups seem to be aligned with the interests of the North Korean government.

The new malware family is known as RustBucket. Keep reading to learn everything you need to know about this threat and how to keep your Mac safe.

In this article:

What does OSX/RustBucket Mac malware do?

To an unsuspecting user, the RustBucket Trojan horse looks like a simple PDF-reader app. It has an innocuous-looking icon, and the app’s name is “Internal PDF Viewer.” (Note that future variants may use a different disguise instead.)

OSX/RustBucket’s “Internal PDF Viewer” Trojan horse app icon.

RustBucket’s first-stage Trojan is a simple AppleScript app that runs a few shell scripts. These scripts download, unzip, and run a second-stage payload, written in Objective-C.

That second payload is a basic PDF reader app. Yes, you can actually open any standard PDF with it. However, “Internal PDF Viewer” has some secret functionality as well.

The evil-PDF trigger

As the name hints, “Internal PDF Viewer” is designed to read particular PDF files. But in reality, the app doesn’t let you view proprietary PDFs intended exclusively for the eyes of a particular company’s employees.

Instead, opening a maliciously crafted PDF file triggers additional behavior, causing the app to phone home to a command-and-control (C&C or C2) server.

The third-stage payload

At this point, the app attempts to download an additional payload or receive further instructions from the server. However, by the time the malware was discovered, the server was not responding to the phone-home URL as expected. This seems to imply that the goals of that particular variant’s campaign might have already been achieved. It seemed that the server operators had voluntarily shut down the C&C functionality at that particular URL.

However, researchers discovered another URL on the same server that hosted what may have been the third-stage malware payload. This payload was written in Rust (hence the malware’s nickname, RustBucket).

Researchers are still investigating the functionality of this last payload. But based on the APT group’s past activity, BlueNoroff’s RustBucket malware would likely attempt to steal cryptocurrency. It may also attempt to exfiltrate other sensitive or proprietary information to the North Korea-linked threat group.

How can one remove or prevent RustBucket and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this Mac malware. Intego products detect components of this threat as OSX/RustBucket or variations of trojan:OSX/Nukesped.

If you believe your Mac may be infected—or to prevent future infections—use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.

Additionally, if you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.

RustBucket indicators of compromise (IoCs)

This file path is associated with RustBucket malware:

/Users/Shared/Internal PDF Viewer.app

The following SHA-256 hashes relate to RustBucket-related malware campaigns:

014692bbe2d289563f67a922d12c9c0af290e6c8b1a473418d705b2022868b5f*
07d206664a8d397273e69ce37ef7cf933c22e93b62d95b673d6e835876feba06
0d6964fe763c2e6404cde68af2c5f86d34cf50a88bd81bc06bba739010821db0
123543c7a5523a15a933e32477b8cba4cd79a680bb69ef2dba178700bfb9ec07
30025e57c68c37337cb00600c851bbcba75723e4fadf960a572176c94aa7f2e2*
38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880
3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e
3d41cd5199dbd6cefcc78d53bb44a2ecbea716de2bc8e547ead7c2aebd9925f0
7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407
7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48
7e2b38decf1f826fbb792d762d9e6a29147e9ecb44eb2ad2c4dc08e7ee01a140
8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe
9525f5081a5a7ab7d35cf2fb2d7524e0777e37fe3df62730e1e7de50506850f7
9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
b448381f244dc0072abd4f52e01ca93efaebb2c0a8ea8901c4725ecb1b2b0656
b68bf400a23b1053f54911a2b826d341f6bf87c26bea5e6cf21710ee569a7aab*
bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49
c56a97efd6d3470e14193ac9e194fa46d495e3dddc918219cca530b90f01d11e
e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c
ea5fac3201a09c3c5c3701723ea9a5fec8bbc4f1f236463d651303f40a245452
ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b
*First reported by Intego

These command-and-control (C&C) domains and IP address have been used in conjunction with this malware:

cloud.dnx[.]capital
deck.31ventures[.]info
laos.hedgehogvc[.]us
104.255.172[.]56

Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact these domains or IP, which could indicate a possible infection.

Is RustBucket known by any other names?

Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:

Backdoor (0040f37a1), BIN.S.Agent.1144, HEUR_PDFEXP.E, HEUR:Trojan-Downloader.OSX.Lazarus.d, HEUR:Trojan-Downloader.OSX.Lazarus.e, HEUR:Trojan-Downloader.OSX.Lazarus.gen, IOS/Nukesped.E, MAC/NukeSpeed.E, MacOS:Nukesped-A [Drp], MacOS:NukeSpeed-AC [Trj], MacOS:NukeSpeed-AD [Trj], MacOS/Nukesped.E, Malware.OSX/NukeSped.kdvjc, Malware.OSX/NukeSped.mwfxa, Malware.OSX/NukeSped.xtyyy, Malware.OSX/NukeSped.xtyzd, Osx.Trojan-Downloader.Lazarus.Cdhl, Osx.Trojan-Downloader.Lazarus.Lzfl, OSX.Trojan.Gen, Osx.Trojan.Nukesped.Rnkl, OSX/NukeSped-AV, OSX/NukeSped.kdvjc, OSX/NukeSped.mwfxa, OSX/NukeSped.R, OSX/NukeSped.R!tr, OSX/NukeSped.S, OSX/NukeSped.xtyyy, OSX/NukeSped.xtyzd, PDF.Z.Agent.1921288, PDF/Agent.AV, PDF/Agent.AW, PDF/Agent.AX, PDF/Agent.C6C7!tr, PDF/Agent5.D, PDF/BlueNoroff, TROJ_FRS.0NA103DP23, TROJ_FRS.0NA103DS23, TROJ_FRS.VSNTE123, Trojan-Downloader.OSX.Lazarus.c, Trojan-NukeSped.g, Trojan:MacOS/NukeSped.H, Trojan:PDF/Phish!MSR, Trojan.DownLoader45.55021, Trojan.Generic.33556067, Trojan.Generic.D2000663, Trojan.Generic.D3F9EE60, Trojan.Generic.D3FA0EC6, Trojan.Generic.D3FA0ECC, Trojan.Generic.D3FA0F15, Trojan.GenericKD.66711136, Trojan.GenericKD.66719430, Trojan.GenericKD.66719436, Trojan.GenericKD.66719509, Trojan.MAC.Generic.111990, Trojan.MAC.Generic.D1B576, Trojan.MAC.Lazarus.O, Trojan.MAC.Lazarus.P, Trojan.MAC.Lazarus.Q, Trojan.MAC.Lazarus.R, Trojan.MAC.Lazarus.S, Trojan.MacOS.NUKESPED.VSNW1AD23, Trojan.MacOS.S.Agent.103440, Trojan.None.Lazarus.4!c, Trojan.OSX.Lazarus.4!c, Trojan.OSX.Nukesped, Trojan.PDF.Agent, Trojan.ZIP.Lazarus.4!c, Trojan/OSX.NukeSped.103440, Trojan/OSX.NukeSped.1144, Trojan/OSX.NukeSped.11843410, Trojan/OSX.NukeSped.215488, Trojan/OSX.NukeSped.573999, Trojan/OSX.NukeSped.578196, Trojan/OSX.NukeSped.589304, Trojan/OSX.NukeSped.590536, Trojan/OSX.NukeSped.601670, Trojan/OSX.NukeSped.84416, Trojan/PDF.Agent, TrojanDownloader:MacOS/Lazarus.23ba746b, TrojanDownloader:MacOS/Lazarus.8440ead7, TrojanDownloader:MacOS/Lazarus.c591a120

How can I learn more?

For additional technical details about how RustBucket functions, see the original report by Ferdous Saljooki and Jaron Bradley. The pair credited Patrick Wardle for assisting them with their analysis.

We also acknowledge Simon Kenin and MalwareHunterTeam, who independently discovered some of the same samples and domains as Intego’s researcher team.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes. You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →