New Malware Targeting Apple’s MacOS Released by North Korean Hackers

New Malware Targeting Apple’s MacOS Released by North Korean Hackers

Reuters

KEY POINTS

Researchers ⁣said ​a ⁣new ‌Rustbucket malware variant evades all major⁤ anti-malware ⁣systemsThe new ⁣North‌ Korean ‍malware uses persistence ⁤mechanisms and connects to malicious‌ sitesA hacking ⁤group used​ the new ‌malware to penetrate ​a European cryptocurrency firm

A ⁣new malware developed by ⁢North ‌Korean hackers ‌that targets ​Apple‌ MacOS ⁢users ⁤and cryptocurrency ⁣companies ⁢has been ⁢discovered.

Security news ⁤website⁤ Decipher reported ‍that the newly-discovered malware was ⁣a variant of the Rustbucket MacOS ⁣malware associated​ with‌ a subsidiary of North Korea’s⁣ notorious Lazarus⁢ hacking‌ group.

The⁣ latest ⁢variant ⁣reportedly ⁢has new persistence ​mechanisms ⁤and​ evades⁣ all major⁣ anti-malware systems.

According ​to the report, it⁣ uses a three-stage‌ model to ​execute its⁢ final ‍payload‌ and gain persistence on ⁤targeted devices.

“In ⁢the case⁣ of this updated RUSTBUCKET sample, it ‌establishes its own‌ persistence by ‍adding a plist ​file at ​the path /Users//Library/LaunchAgents/com.apple.systemupdate.plist, and it copies ⁢the ​malware’s ‌binary to the ⁤following ⁤path /Users//Library/Metadata/System Update,” ⁤researchers‌ from the ​Elastic⁤ Security ‌Labs ⁢said in their ⁣analysis ​of the North‌ Korean malware.

The persistence⁢ mechanism ⁣reportedly⁣ connects to​ a domain that ⁤is known to be ‌malicious ‍and‍ used ‍in⁣ other ‍attack campaigns,​ including phishing‌ campaigns.

Elastic Security‍ Labs researchers​ went ​deep into the‍ malicious‍ domains ‍and​ other ⁣infrastructure⁤ where the new ⁤Rustbucket ​variant’s​ persistence ‍mechanism is connected.

“There⁣ is‌ a specific User-Agent string⁣ (cur1-agent) that⁣ is⁣ expected⁤ when downloading‌ the Stage 2⁢ binary, if you do‌ not use the expected User-Agent,⁤ you will⁤ be‌ provided with a ⁣405 HTTP response ​status code. It ⁢also appears that the⁤ campaign owners ‍are ⁤monitoring their ⁣payload staging‌ infrastructure. ⁢Using ​the⁣ expected User-Agent for ⁢the ​Stage 3 binary ​download ⁢(mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; ‌trident/4.0)), we ⁢were able to ‍collect ​the ⁣Stage⁤ 3 binary,” ‌the researchers said.

A hacking group, called⁢ REF9135⁢ by ‌the Elastic ⁣Security‍ Labs researchers, ⁢used⁣ the malware to ‍attack a Europe-based cryptocurrency⁣ company.

The‍ hackers used some⁤ evasion⁢ techniques⁣ to avoid being‌ detected⁣ by defensive technologies⁣ during⁤ their attacks.

“Finally, we‌ observed ⁢REF9135⁣ changing ‍its C2 domain once ⁣we⁤ began to collect ⁢the⁤ Stage ​2 and 3 binaries for​ analysis. When making⁣ subsequent requests to⁢ the original server (crypto.hondchain[.]com), ⁤we ⁣received a 404 ​HTTP​ response ‌status ​code (Not Found) and shortly after,⁢ a‍ new C2 ⁤server was identified (starbucls[.]xyz),” ‌the ⁣researchers‍ said.

Rustbucket‌ malware ⁤was first detected in April by researchers at Jamf when ⁢it was used ​by‍ a hacking group ​called‍ BlueNorOff⁤ in‌ a ​series‌ of cyber attacks.

Researchers described ⁤BlueNorOff as one‌ of the subsets of ​North‌ Korea’s⁣ Lazarus Group,⁢ which is linked to a⁤ long list of‌ high-profile⁢ cyberattacks.

Last⁣ month,⁤ multiple crypto-tracking​ experts told CNN that⁢ North Korean ⁢hackers were likely the ⁤culprit​ in the theft of at least $35 ​million​ from certain customers ⁤of​ Atomic Wallet, an Estonia-based​ company.

Atomic ‍Wallet ‍said the ⁤hacking incident affected⁣ “less ⁣than 1%”⁤ of its monthly users, but the⁤ company has not ⁢specified ‍how much money might have been ‍siphoned by‌ North⁣ Korean ⁢hackers.

U.S.⁤ officials alleged that ⁤revenues from ⁣North‍ Korea’s⁢ illegal ‌hacking ⁣activities are being used to‌ fund ‍about ⁣50% of the country’s nuclear ​ballistic ‌missile program.

Representational Image
Image by⁢ Pexels​ from Pixabay

2023-07-21 ⁣06:48:02
Article from‍ www.ibtimes.com
rnrn

Exit mobile version