New RUSTBUCKET Malware With Zero Detections on VirusTotal

The DPRK campaign is utilizing a no longer too lengthy within the past up up to now version of Rustbucket malware to preserve some distance off from being detected.

This variant of RUSTBUCKET, targets macOS systems, adds persistence capabilities no longer previously noticed and, at the time of reporting, is undetected by VirusTotal signature engines.

The Elastic Security Labs crew has detected a brand unusual variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff community by Jamf Threat Labs in April 2023.

The DPRK conducts malicious cyber activities and deploys data technology (IT) workers who fraudulently compose employment to generate income.

RUSTBUCKET Malware Infection Chain

As per the evaluate RUSTBUCKET family of malware is beneath crammed with life pattern. Additionally, at the time of newsletter, this unusual variant has zero detections on VirusTotal and is leveraging a dynamic community infrastructure methodology for recount and alter.

The recount /usr/bin/osascript has been extinct to enact the AppleScript which is accountable for downloading  Stage 2 binary from the C2 utilizing cURL.

This session contains the string pd within the physique of the HTTP inquire of of and cur1-agent as the Person-Agent string which saves the Stage 2 binary to /customers/shared/.pd,

The Stage 2 binary (.pd) is compiled in Swift and operates primarily based totally on recount-line arguments. The binary expects a C2 URL to be equipped as the first parameter when performed.

Upon execution, it invokes the downAndExec purpose, which is accountable for preparing a POST HTTP inquire of of.

To galvanize this inquire of of, the binary sets the Person-Agent string as mozilla/4.0 (like minded; msie 8.0; residence windows nt 5.1; trident/4.0) and contains the string pw within the physique of the HTTP inquire of of.

Throughout execution, the malware utilizes particular macOS APIs for different operations. It begins with NSFileManager’s temporaryDirectory purpose to compose the fresh non permanent folder, then generates a random UUID utilizing NSUUID’s UUID.init system.

Within the wreck, the malware combines the non permanent itemizing direction with the generated UUID to create a unusual file region and writes the payload to it.

As soon as the payload is written to disk, the malware utilizes NSTask to galvanize its execution.

Gathers Plot Recordsdata

The malware initiates its operations by dynamically generating a 16-byte random value at runtime. This value serves as a particular identifier for the teach instance of the crammed with life malware. Therefore, the malware proceeds to amass comprehensive intention data, alongside side:

• Computer title
• List of crammed with life processes
• Fresh timestamp
• Set up timestamp
• Plot boot time
• Space of all running processes inside of the intention

The malware establishes its preliminary connection to the C2 server by transmitting the gathered data through a POST inquire of of. The inquire of of is accompanied by a Person-Agent string formatted as Mozilla/4.0 (like minded; MSIE 8.0; Windows NT 5.1; Trident/4.0).

Upon receiving the inquire of of, the C2 server responds with a recount ID, which serves as an instruction for the malware. The malware is designed to handle only two commands.

Present ID 0x31-to self-discontinuance

Present ID 0x30-This recount permits the operator to upload malicious Mach-O binaries or shell scripts to the intention and enact them.

The malware proceeds by granting execution permissions to the uploaded file utilizing the chmod API.After executing the payload, the malware sends a dwelling update to the server, notifying it of the carried out execution, after which sleeps for 60 seconds.

Following this lengthen, the malware loops to gather intention data all over but again and remains in a waiting tell, waiting for the advent of the next recount from the server.

The multi-stage composition of the malware, moreover to the utilization of Rust programming language and the focused on of macOS, fabricate detection and prevention a vital anxiety.

Indicator of compromise: