The BlueNoroff group has come up with a way to infect financial organizations and investors.
Kaspersky Lab has discovered a new version of the malicious boot loader for macOS, presumably associated with the BlueNoroff APT group and its RustBucket campaign. The group is aimed at financial organizations and users associated with cryptocurrencies.
The downloader was disguised as a PDF file in a ZIP archive created on October 21, 2023. At the time of detection, the loader had a legitimate signature, but now the certificate has already been revoked. Exactly how the archive was distributed is unknown. It is possible that the attackers sent it to victims by mail, as in their previous campaigns.
The executable file, written in Swift and named EdoneViewer, contained versions for Intel and Apple Silicon processors, and the malicious load was encrypted using XOR encryption.
MaliciousPDF bait
The loader executed an AppleScript script that downloaded a harmless PDF file to distract the user and made a POST request to download the Trojan (. pw) from the Command and Control (C2) server registered on October 20. The Trojan collected and sent the following information about the system at intervals of one minute:
In response, the Trojan waited for commands from the server to save data, delete itself, or continue waiting. Unfortunately, at the time of the analysis, the server did not send a single command, which is why it was not possible to find out the contents of the next stage of the attack.
RustBucket is a toolkit developed by a North Korean threat actor known under the pseudonym BlueNoroff. This is just one of many cyber operations tracked by the elite hacker group Lazarus Group. Lazarus Group, in turn, is controlled by the General Intelligence Agency (RGB) of North Korea, which is the key intelligence agency of this country.
Earlier it was reported that the malware compiled in Swift is designed to download the main malware from the C2 server, a Rust-based binary file with functions for collecting extensive information, as well as obtaining and running additional Mach-O binaries or shells on a compromised system.
Kaspersky Lab has discovered a new version of the malicious boot loader for macOS, presumably associated with the BlueNoroff APT group and its RustBucket campaign. The group is aimed at financial organizations and users associated with cryptocurrencies.
The downloader was disguised as a PDF file in a ZIP archive created on October 21, 2023. At the time of detection, the loader had a legitimate signature, but now the certificate has already been revoked. Exactly how the archive was distributed is unknown. It is possible that the attackers sent it to victims by mail, as in their previous campaigns.
The executable file, written in Swift and named EdoneViewer, contained versions for Intel and Apple Silicon processors, and the malicious load was encrypted using XOR encryption.
MaliciousPDF bait
The loader executed an AppleScript script that downloaded a harmless PDF file to distract the user and made a POST request to download the Trojan (. pw) from the Command and Control (C2) server registered on October 20. The Trojan collected and sent the following information about the system at intervals of one minute:
- computer name;
- operating system version;
- device's time zone;
- device launch date;
- date of installation of the operating system;
- current time;
- list of processes running in the system.
In response, the Trojan waited for commands from the server to save data, delete itself, or continue waiting. Unfortunately, at the time of the analysis, the server did not send a single command, which is why it was not possible to find out the contents of the next stage of the attack.
RustBucket is a toolkit developed by a North Korean threat actor known under the pseudonym BlueNoroff. This is just one of many cyber operations tracked by the elite hacker group Lazarus Group. Lazarus Group, in turn, is controlled by the General Intelligence Agency (RGB) of North Korea, which is the key intelligence agency of this country.
Earlier it was reported that the malware compiled in Swift is designed to download the main malware from the C2 server, a Rust-based binary file with functions for collecting extensive information, as well as obtaining and running additional Mach-O binaries or shells on a compromised system.
