Unmasking the Rustbucket: A New Malware Variant on the Rise


Published on Jul 1, 2023   —   6 min read

Photo by Pedro Forester Da Silva / Unsplash


Welcome back to The Final Hop. Today, we delve into the sprawling labyrinth of cybersecurity, a realm teeming with hidden corners where minds oscillate between ethical and nefarious hacking endeavors. Emerging from the shadows of this complex landscape is a new menace: an updated version of an Apple macOS malware named 'Rustbucket'. This variant boasts amplified capabilities to establish persistence and dodge detection by security software.

We invite you on an expedition to uncover the depths of the 'Rustbucket' malware, revealing its inception, its impact on the macOS ecosystem, and the covert operations it enables. Along the way, we'll touch upon the ethical and security implications that this new variant raises in the ever-evolving field of cybersecurity.

Creators of Rustbucket

Rustbucket is indeed a malware creation by a North Korean threat actor known as BlueNoroff, which is a subset of the Lazarus Group. This group is an elite hacking unit supervised by North Korea's primary intelligence agency, the Reconnaissance General Bureau (RGB)​.

The Rustbucket malware was first discovered in April 2023, and it's an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. The second-stage malware, compiled in Swift, is designed to download the main malware, a Rust-based binary, from the command-and-control server. This main malware has features to gather extensive information and fetch and run additional Mach-O binaries or shell scripts on the compromised system​.

The infection chain of Rustbucket starts with a macOS installer file that installs a backdoored, yet functional, PDF reader. The malicious activity is triggered only when a weaponized PDF file is launched using the rogue PDF reader. The initial intrusion vectors include phishing emails and employing bogus personas on social networks like LinkedIn​.

The observed attacks are highly targeted and focused on finance-related institutions in Asia, Europe, and the U.S., suggesting that the activity is aimed at illicit revenue generation to evade sanctions​​.

Interestingly, this is the first instance of BlueNoroff malware specifically targeting macOS users, and a .NET version of RustBucket has also surfaced in the wild with a similar set of features​.

As for the Lazarus Group, Kaspersky Lab reported in 2017 that it tended to focus on spying and infiltration cyberattacks, whereas BlueNoroff specialized in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.

Discovery and Details

The Rustbucket malware is a complex and multi-staged threat, specifically targeting macOS systems. Its initial form is an AppleScript-based backdoor, which is a type of malware that provides the attacker with unauthorized remote access to the infected system. This backdoor is capable of communicating with a command-and-control (C2) server to retrieve a second-stage payload. This means that after the initial infection, Rustbucket can download additional malicious software or code from the C2 server, further enhancing its capabilities and persistence on the infected system​.

The second-stage payload is compiled in Swift, a robust and intuitive programming language developed by Apple. This choice of language indicates that the malware is specifically designed to exploit macOS systems effectively. The second-stage payload's function is to download the main malware, a Rust-based binary, from the C2 server. Rust is a programming language that's known for its performance and safety, particularly against memory-related errors, which makes it an effective tool for creating stealthy and efficient malware​​.

Once downloaded and activated, the main Rustbucket malware has features that allow it to gather extensive information from the infected system. This could potentially include sensitive data such as passwords, financial information, or other personal data. Additionally, it can fetch and run additional Mach-O binaries or shell scripts. Mach-O is the native binary format used by macOS, and shell scripts are used to automate the command-line interface. By fetching and executing these, the malware can perform a wide variety of additional malicious tasks, potentially modifying system settings, downloading additional malware, or taking other actions without the user's knowledge or consent​​.

In terms of infection, Rustbucket's chain begins with a macOS installer file that installs a backdoored, yet functional, PDF reader. The malicious activity is only triggered when a weaponized PDF file is opened using the rogue PDF reader. This method allows the malware to remain dormant and undetected until the specific trigger condition is met, increasing its chances of establishing a foothold on the system before being detected​.

All of these features make Rustbucket a particularly menacing threat to macOS users, especially given its connection to the BlueNoroff group and its focus on targeting financial institutions​.

Cross-platform Efforts

The recent actions of BlueNoroff and their development of the Rustbucket malware highlight a significant trend within the cybersecurity landscape. This trend is the shift towards using cross-platform languages in the development of malware. Cross-platform languages, such as Rust, allow the same code to be run on multiple operating systems with little to no modification. This means that threat actors can develop a single piece of malware that can infect a wider range of systems, increasing their potential pool of victims and maximizing their efforts​.

This is a notable shift as traditionally, malware was typically designed for a specific operating system. This limitation was due to the differences in how various operating systems functioned, which required different programming techniques and tools. However, the rise of cross-platform languages has largely circumvented this issue, allowing for a more versatile and wide-ranging approach to malware creation.

In the case of Rustbucket, we see this approach in action. The malware was initially designed to target macOS systems, but a .NET version has since surfaced, demonstrating the malware's cross-platform capabilities. The .NET framework is a software framework developed by Microsoft, primarily running on Windows, which means that the same malware can now potentially target both macOS and Windows systems​​.

The implications of this trend are significant. As malware becomes increasingly platform-agnostic, the threat landscape expands, and the potential for widespread infection increases. It also means that cybersecurity defenses must adapt to this changing threat model, focusing not just on platform-specific threats but also on the more universal threats posed by cross-platform malware.

This shift towards cross-platform malware development further emphasizes the need for ongoing vigilance, robust cybersecurity practices, and up-to-date defensive measures across all operating systems. It's a potent reminder that in the realm of cybersecurity, evolution and adaptation are constants, and staying one step ahead of threat actors is an ongoing challenge.

Infection Chain

The infection chain of Rustbucket is complex. It begins with a macOS installer file that installs a backdoored, but functional, PDF reader. The malicious activity is triggered only when a weaponized PDF file is launched using the rogue PDF reader. Initial intrusion vectors include phishing emails and employing bogus personas on social networks such as LinkedIn​.

Targeted Attacks

The Rustbucket attacks are highly targeted, focusing primarily on finance-related institutions in Asia, Europe, and the U.S. This selective targeting suggests that the activity is geared towards illicit revenue generation, perhaps as a means to evade sanctions​.

Unusual Persistence Mechanism and Command-and-Control

What sets this newly identified version of Rustbucket apart is its unusual persistence mechanism and its use of a dynamic DNS domain for command-and-control. It also incorporates stealth measures to remain under the radar. For instance, it establishes its own persistence by adding a plist file at a specific path and copies the malware's binary to another specific path​​.


As we conclude this journey through the shadowy world of Rustbucket, it's clear that the threats in our cyber landscape are ever-evolving, adapting, and, most disturbingly, becoming more sophisticated. The audacious maneuvers of threat actors, such as the North Korean BlueNoroff, underscore the urgency for robust and proactive cybersecurity measures.

Rustbucket, with its multi-stage payloads, sophisticated programming, and insidious infection chain, serves as a chilling reminder of the lengths that these cybercriminals will go to wreak havoc and generate illicit revenue. As macOS users, we cannot afford to remain complacent. We must keep our systems updated, be wary of suspicious emails and social media personas, and most importantly, equip ourselves with the knowledge to recognize and respond to such threats.

In this age of digital warfare, the frontlines are not only on the physical battleground but also within the invisible threads of the internet. At The Final Hop, we are committed to shedding light on these threats, not to incite fear, but to empower you with the knowledge to protect yourself and your digital world. After all, understanding the enemy is the first step towards effective defense.

Until our next deep dive into the cyber abyss, stay safe, stay informed, and keep hopping.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.