RustBucket

Summary
PDF embedded malware from a nation-state
Class
APT Trojan
Class Summary
Advanced Persistent Threat (APT) Trojans are a form of stealthy malware. They're designed to maintain their presence on your macOS system over extended periods, making detection challenging. These Trojans are often used in targeted attacks, typically by skilled adversaries such as nation-state actors or sophisticated cybercriminal groups. They can steal sensitive data or execute remote commands. If an APT Trojan is detected, it's crucial to consult with a security specialist. Considering the stealth and persistence of APT actors, you might need an overall security audit to ensure complete removal and secure any breached data.
Description

RustBucket is a remote access trojan. Trojans are often focused on espionage capabilities rather than monetary gain, but some overlap may occur depending on attacker objectives. They generally include multiple different functionalities such as remote shell capabilities, keyloggers, infostealers and more.

RustBucket, employed by the APT group BlueNoroff—a North Korean subgroup of the well-known Lazarus Group—is a multi-stage malware targeting users via intricate social engineering campaigns. The initial droppers are written in Objective-C, Swift, and AppleScript, while the final payload is crafted in Rust. In typical campaigns, the malware disguises itself as a benign PDF reader. Users are convinced to open a specific PDF document using this rogue application, triggering a callback to the attacker's Command and Control server. Read more on this campaign at the Jamf link below.

References
Example Hashes
  • e0e42ac374443500c236721341612865cd3d1eec
    VirusTotal
  • 182760cbe11fa0316abfb8b7b00b63f83159f5aa
    VirusTotal