7/9/2023 0 Comments Lineage w app“The malware used here shows that as macOS grows in market share, attackers realize that a number of victims will be immune if their tooling is not updated to include the Apple ecosystem. This trojan performs system reconnaissance commands to collect basic system data such as the current time, process listing, and whether it runs in a virtual machine. Once this malicious file is loaded, the program initiates stage three of the attack, which is the execution of an 11.2-megabyte trojan, also signed ad-hoc and written in Rust. The PDF file is a bogus nine-page document about venture capital firms looking to invest in tech startups. ![]() Loading any other PDF file gives the following message: See More: New Report Blows the Lid on Another iPhone Spyware For the malware to take the next step and communicate with the attacker, the correct PDF must be loaded,” Jamf added. “Upon execution, the application does not perform any malicious actions yet. Successful exploitation of the target requires the correct PDF file, which, when opened, begins the execution of the attack. However, the PDF viewer app is only one piece of the puzzle. As such, both stage-one and stage-two components of RustBucket malware were undetected on VirusTotal at the time of Jamf’s disclosure.Īs of today, stage one of RustBucket is detected by eight security vendors, while nine vendors detect stage two. “By breaking up the malware into several components or stages, the malware author makes analysis more difficult, especially if the C2 goes offline,” Jamf explained. The new macOS malware, RustBucket, is disguised as a legitimate PDF viewer (Internal PDF Viewer) app that actually works.Īs the stage-one executable, Internal PDF Viewer is an unsigned app that, when executed, downloads the stage-two malware from the command and control (C2) server.Īlso named Internal PDF Viewer, stage-two malware is a signed application disguised as a legitimate Apple bundle identifier () with an ad-hoc signature. The mobile device management company attributed the malware and its usage to the advanced persistent threat group BlueNoroff, a sub-group of Lazarus.īlueNoroff is the same APT group that targeted Windows machines late last year through malware that evaded Mark-of-the-Web security implementations. Researchers at Jamf have discovered a new macOS malware being used to target Apple devices.
0 Comments
Leave a Reply. |