Threat Database Mac Malware RustBucket Malware

RustBucket Malware

Cybersecurity experts have identified a novel form of malware that is specifically designed to target Apple devices running macOS. This threatening software, known as RustBucket, is being utilized by an advanced persistent threat (APT) group called BlueNoroff, which is believed to be closely linked to or possibly even a sub-group of the notorious Lazarus group.

Notably, BlueNoroff has previously targeted Windows-based systems using malware that was able to circumvent Mark-of-the-Web security protocols. The newly discovered macOS malware is disguised as a legitimate PDF viewer application called 'Internal PDF Viewer' that appears to function as expected. However, in reality, it is an insidious tool used to gain unauthorized access to sensitive data on compromised systems. Details about the threat were released by Jamf, a mobile device management company.

The RustBucket macOS Malware is Delivered in Multiple Stages

RustBucket malware uses a multi-stage approach to infect the targeted Mac devices. The first stage is an unsigned application called 'Internal PDF Viewer,' which, upon execution, downloads the second stage of the malware from a Command-and-Control (C2) server.

The second stage of the malware carries the same name - 'Internal PDF Viewer,' but this time, it is a signed application that is designed to look like a legitimate Apple bundle identifier ( and has an ad-hoc signature. By dividing the malware into different stages, the threat actors make it more difficult to analyze, particularly if the C2 server goes offline.

A Corrupted PDF File is the Last Piece of the RustBucket Infection

However, even at this stage, RustBucket will not activate any of its malicious capabilities. In order to successfully activate its true functionality on the breached macOS device, a specific PDF file must be opened. This corrupted PDF file is disguised as a nine-page document that purports to contain information about venture capital firms seeking to invest in technical startups.

In reality, opening the file will complete the RustBucket infection chain by triggering the execution of an 11.2 MB Trojan that is also signed with an ad-hoc signature and written in Rust. The Trojan threat can perform various intrusive functions, such as carrying out system reconnaissance by collecting basic system data and obtaining a list of the currently running processes. The threat also sends data to the attackers if it is running in a virtual environment.

The Cybercriminals are Starting to Adapt to the macOS Ecosystem

The utilization of malware by cyber attackers highlights a growing trend in which the macOS operating system is increasingly becoming a target for cybercrime. This trend is driven by the fact that cybercriminals are recognizing that they need to update their tools and tactics to include the Apple platform. This means that a substantial number of potential victims are at risk of being targeted by attackers who have adapted their strategies to exploit the vulnerabilities of macOS systems.


Most Viewed