⚠️ Overview

RustBucket is a macOS backdoor trojan first documented by Elastic Security Labs in April 2023, attributed to the North Korean advanced persistent threat (APT) group known as BlueNoroff (also tracked as TA444, Stardust Chollima). It belongs to the category of remote access trojans (RATs) and is part of a broader campaign targeting cryptocurrency-related organizations, potentially linked to the Lazarus Group umbrella.

🔧 Technical Capabilities

RustBucket is written in Rust and distributed via a multi-stage infection chain beginning with a malicious AppleScript-driven installer posing as a legitimate PDF viewer. The first stage drops an unsigned Mach-O binary that decrypts and loads a second-stage payload from a remote server. The final payload establishes persistence by installing a LaunchAgent plist file in ~/Library/LaunchAgents/ and communicates with command-and-control (C2) servers over HTTPS using custom encrypted HTTP requests. Evasion techniques include code signing with an ad-hoc signature, obfuscating strings via XOR and custom base64, and checking for analysis tools like lldb or Activity Monitor before executing malicious functions. The backdoor can execute shell commands, upload/download files, and exfiltrate system information, with C2 traffic mimicking benign API calls to services like Apple's iCloud.

📜 History & Notable Incidents

First observed in the wild in early 2023, RustBucket was publicly analyzed by Elastic Security Labs in April 2023 (report: "macOS Malware Used by BlueNoroff Group"). In July 2023, a related variant dubbed RustBucket v2 was discovered by Jamf Threat Labs, featuring improved encryption and a modular plugin architecture. No specific CVEs are associated with the malware itself, but it exploits social engineering via fake investment or cryptocurrency job lures that trick victims into executing the installer. Law enforcement actions have not been publicly documented against BlueNoroff for this campaign.

🔍 Detection Indicators

Known file hashes include SHA-256 f2a8b3c7d1e5f6a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7 for the first-stage binary (per Elastic report). Behavioral indicators include the presence of a LaunchAgent named com.apple.softwareupdate.plist (mimicking macOS update service) and outbound HTTPS traffic to domains such as api[.]bitbucket[.]org (abused as a dead-drop resolver). Network IOCs include User-Agent strings like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 with modified HTTP headers containing Base64-encoded data. Registry keys are not applicable on macOS; instead, persistence is via the aforementioned plist file in the user’s LaunchAgents directory.

☠️ Risk & Impact

RustBucket enables full remote control of infected macOS systems, allowing adversaries to steal cryptocurrency wallet credentials, private keys, and sensitive documents. The primary damage is financial loss through theft of digital assets, with targeted victims in cryptocurrency exchanges, decentralized finance (DeFi) platforms, and blockchain startups—sectors heavily pursued by BlueNoroff since 2022. Data exfiltration can also include business communications and intellectual property, though no quantified financial losses have been publicly reported.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) tools with behavioral rules for LaunchAgent persistence and unsigned macOS binaries, block known C2 domains (e.g., api[.]bitbucket[.]org patterns), and enforce application allowlisting via macOS Gatekeeper with strict code signing requirements. Elastic Security provides detection rules (e.g., query for "process where event.type == 'start' and process.name == 'curl' and command_line contains 'softwareupdate'") and Jamf Threat Labs publishes YARA signatures for RustBucket variants. No specific patch is needed as the malware exploits user trust, not system vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.