![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/05\/Rust-Bucket-Mac-malware-logo-600x400-1.jpg\"){kind=logo}
<\/p>\n<\/p>\n
An advanced persistent threat (APT) group known as BlueNoroff is reportedly targeting Macs with a new malware family. BlueNoroff is believed to have ties to Lazarus Group<\/a>, which has developed a variety of Mac malware in recent years. Both APT groups seem to be aligned with the interests of the North Korean government.<\/p>\n The new malware family is known as RustBucket. Keep reading to learn everything you need to know about this threat and how to keep your Mac safe.<\/p>\n In this article:<\/em><\/p>\n To an unsuspecting user, the RustBucket Trojan horse looks like a simple PDF-reader app. It has an innocuous-looking icon, and the app’s name is \u201cInternal PDF Viewer.\u201d (Note that future variants may use a different disguise instead.)<\/p>\n OSX\/RustBucket’s “Internal PDF Viewer” Trojan horse app icon.<\/p><\/div>\n RustBucket’s first-stage Trojan is a simple AppleScript app that runs a few shell scripts. These scripts download, unzip, and run a second-stage payload, written in Objective-C.<\/p>\n That second payload is a basic PDF reader app. Yes, you can actually open any standard PDF with it. However, “Internal PDF Viewer” has some secret functionality as well.<\/a><\/p>\n As the name hints, “Internal PDF Viewer” is designed to read particular PDF files. But in reality, the app doesn’t let you view proprietary PDFs intended exclusively for the eyes of a particular company’s employees.<\/p>\n Instead, opening a maliciously crafted PDF file triggers additional behavior, causing the app to phone home to a command-and-control (C&C or C2) server.<\/a><\/p>\n At this point, the app attempts to download an additional payload or receive further instructions from the server. However, by the time the malware was discovered, the server was not responding to the phone-home URL as expected. This seems to imply that the goals of that particular variant’s campaign might have already been achieved. It seemed that the server operators had voluntarily shut down the C&C functionality at that particular URL.<\/p>\n However, researchers discovered another URL on the same server that hosted what may have been the third-stage malware payload. This payload was written in Rust (hence the malware’s nickname, RustBucket).<\/p>\n Researchers are still investigating the functionality of this last payload. But based on the APT group’s past activity, BlueNoroff’s RustBucket malware would likely attempt to steal cryptocurrency. It may also attempt to exfiltrate other sensitive or proprietary information to the North Korea-linked threat group.<\/a><\/p>\n Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate this Mac malware. Intego products detect components of this threat as OSX\/RustBucket<\/strong> or variations of trojan:OSX\/Nukesped<\/strong>.<\/p>\n If you believe your Mac may be infected\u2014or to prevent future infections\u2014use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.<\/p>\n Additionally, if you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from PC malware.<\/p>\n VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.<\/a><\/span><\/p>\n This file path is associated with RustBucket malware:<\/p>\n The following SHA-256 hashes relate to RustBucket-related malware campaigns:<\/p>\n These command-and-control (C&C) domains and IP address have been used in conjunction with this malware:<\/p>\n Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact these domains or IP, which could indicate a possible infection.<\/a><\/p>\n Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:<\/p>\n Backdoor (0040f37a1), BIN.S.Agent.1144, HEUR_PDFEXP.E, HEUR:Trojan-Downloader.OSX.Lazarus.d, HEUR:Trojan-Downloader.OSX.Lazarus.e, HEUR:Trojan-Downloader.OSX.Lazarus.gen, IOS\/Nukesped.E, MAC\/NukeSpeed.E, MacOS:Nukesped-A [Drp], MacOS:NukeSpeed-AC [Trj], MacOS:NukeSpeed-AD [Trj], MacOS\/Nukesped.E, Malware.OSX\/NukeSped.kdvjc, Malware.OSX\/NukeSped.mwfxa, Malware.OSX\/NukeSped.xtyyy, Malware.OSX\/NukeSped.xtyzd, Osx.Trojan-Downloader.Lazarus.Cdhl, Osx.Trojan-Downloader.Lazarus.Lzfl, OSX.Trojan.Gen, Osx.Trojan.Nukesped.Rnkl, OSX\/NukeSped-AV, OSX\/NukeSped.kdvjc, OSX\/NukeSped.mwfxa, OSX\/NukeSped.R, OSX\/NukeSped.R!tr, OSX\/NukeSped.S, OSX\/NukeSped.xtyyy, OSX\/NukeSped.xtyzd, PDF.Z.Agent.1921288, PDF\/Agent.AV, PDF\/Agent.AW, PDF\/Agent.AX, PDF\/Agent.C6C7!tr, PDF\/Agent5.D, PDF\/BlueNoroff, TROJ_FRS.0NA103DP23, TROJ_FRS.0NA103DS23, TROJ_FRS.VSNTE123, Trojan-Downloader.OSX.Lazarus.c, Trojan-NukeSped.g, Trojan:MacOS\/NukeSped.H, Trojan:PDF\/Phish!MSR, Trojan.DownLoader45.55021, Trojan.Generic.33556067, Trojan.Generic.D2000663, Trojan.Generic.D3F9EE60, Trojan.Generic.D3FA0EC6, Trojan.Generic.D3FA0ECC, Trojan.Generic.D3FA0F15, Trojan.GenericKD.66711136, Trojan.GenericKD.66719430, Trojan.GenericKD.66719436, Trojan.GenericKD.66719509, Trojan.MAC.Generic.111990, Trojan.MAC.Generic.D1B576, Trojan.MAC.Lazarus.O, Trojan.MAC.Lazarus.P, Trojan.MAC.Lazarus.Q, Trojan.MAC.Lazarus.R, Trojan.MAC.Lazarus.S, Trojan.MacOS.NUKESPED.VSNW1AD23, Trojan.MacOS.S.Agent.103440, Trojan.None.Lazarus.4!c, Trojan.OSX.Lazarus.4!c, Trojan.OSX.Nukesped, Trojan.PDF.Agent, Trojan.ZIP.Lazarus.4!c, Trojan\/OSX.NukeSped.103440, Trojan\/OSX.NukeSped.1144, Trojan\/OSX.NukeSped.11843410, Trojan\/OSX.NukeSped.215488, Trojan\/OSX.NukeSped.573999, Trojan\/OSX.NukeSped.578196, Trojan\/OSX.NukeSped.589304, Trojan\/OSX.NukeSped.590536, Trojan\/OSX.NukeSped.601670, Trojan\/OSX.NukeSped.84416, Trojan\/PDF.Agent, TrojanDownloader:MacOS\/Lazarus.23ba746b, TrojanDownloader:MacOS\/Lazarus.8440ead7, TrojanDownloader:MacOS\/Lazarus.c591a120<\/span><\/a><\/p>\n For additional technical details about how RustBucket functions, see the original report<\/a> by Ferdous Saljooki and Jaron Bradley. The pair credited Patrick Wardle<\/a> for assisting them with their analysis.<\/p>\n We also acknowledge Simon Kenin<\/a> and MalwareHunterTeam<\/a>, who independently discovered some of the same samples and domains as Intego’s researcher team.<\/p>\n An APT group known as BlueNoroff, which has ties with Lazarus Group, is targeting Macs with a fake PDF viewer Trojan horse. Here is everything you need to know about this macOS malware.<\/p>\n","protected":false},"author":14,"featured_media":97915,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[4291,4288,86],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\n\n
\n
What does OSX\/RustBucket Mac malware do?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/05\/BlueNoroff-OSX-RustBucket-NukeSped-Internal-PDF-Viewer-Trojan-horse-malware-icon.png\"){kind=icon}
The evil-PDF trigger<\/strong><\/h4>\n
The third-stage payload<\/strong><\/h4>\n
How can one remove or prevent RustBucket and other Mac malware?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
<\/p>\nRustBucket indicators of compromise (IoCs)<\/h3>\n
\/Users\/Shared\/Internal PDF Viewer.app<\/pre>\n
014692bbe2d289563f67a922d12c9c0af290e6c8b1a473418d705b2022868b5f*\r\n07d206664a8d397273e69ce37ef7cf933c22e93b62d95b673d6e835876feba06\r\n0d6964fe763c2e6404cde68af2c5f86d34cf50a88bd81bc06bba739010821db0\r\n123543c7a5523a15a933e32477b8cba4cd79a680bb69ef2dba178700bfb9ec07\r\n30025e57c68c37337cb00600c851bbcba75723e4fadf960a572176c94aa7f2e2*\r\n38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880\r\n3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e\r\n3d41cd5199dbd6cefcc78d53bb44a2ecbea716de2bc8e547ead7c2aebd9925f0\r\n7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407\r\n7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48\r\n7e2b38decf1f826fbb792d762d9e6a29147e9ecb44eb2ad2c4dc08e7ee01a140\r\n8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe\r\n9525f5081a5a7ab7d35cf2fb2d7524e0777e37fe3df62730e1e7de50506850f7\r\n9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747\r\nb448381f244dc0072abd4f52e01ca93efaebb2c0a8ea8901c4725ecb1b2b0656\r\nb68bf400a23b1053f54911a2b826d341f6bf87c26bea5e6cf21710ee569a7aab*\r\nbea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49\r\nc56a97efd6d3470e14193ac9e194fa46d495e3dddc918219cca530b90f01d11e\r\ne74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c\r\nea5fac3201a09c3c5c3701723ea9a5fec8bbc4f1f236463d651303f40a245452\r\nff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b\r\n*First reported by Intego<\/pre>\n
cloud.dnx[.]capital\r\ndeck.31ventures[.]info\r\nlaos.hedgehogvc[.]us\r\n104.255.172[.]56<\/pre>\n
Is RustBucket known by any other names?<\/h3>\n
How can I learn more?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\")
<\/a>Each week on the Intego Mac Podcast<\/strong><\/a>, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes. You can also subscribe to our e-mail newsletter<\/strong><\/a> and keep an eye here on The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: ![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Twitter-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Facebook-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/YouTube-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Pinterest-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/LinkedIn-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Instagram-logo-icon-64.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" "\\"Follow")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"