A North Korea flag flutters next to concertina wire at the North Korean embassy in Kuala Lumpur


  • Researchers said a new Rustbucket malware variant evades all major anti-malware systems
  • The new North Korean malware uses persistence mechanisms and connects to malicious sites
  • A hacking group used the new malware to penetrate a European cryptocurrency firm

A new malware developed by North Korean hackers that targets Apple MacOS users and cryptocurrency companies has been discovered.

Security news website Decipher reported that the newly-discovered malware was a variant of the Rustbucket MacOS malware associated with a subsidiary of North Korea's notorious Lazarus hacking group.

The latest variant reportedly has new persistence mechanisms and evades all major anti-malware systems.

According to the report, it uses a three-stage model to execute its final payload and gain persistence on targeted devices.

"In the case of this updated RUSTBUCKET sample, it establishes its own persistence by adding a plist file at the path /Users//Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware's binary to the following path /Users//Library/Metadata/System Update," researchers from the Elastic Security Labs said in their analysis of the North Korean malware.

The persistence mechanism reportedly connects to a domain that is known to be malicious and used in other attack campaigns, including phishing campaigns.

Elastic Security Labs researchers went deep into the malicious domains and other infrastructure where the new Rustbucket variant's persistence mechanism is connected.

"There is a specific User-Agent string (cur1-agent) that is expected when downloading the Stage 2 binary, if you do not use the expected User-Agent, you will be provided with a 405 HTTP response status code. It also appears that the campaign owners are monitoring their payload staging infrastructure. Using the expected User-Agent for the Stage 3 binary download (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)), we were able to collect the Stage 3 binary," the researchers said.

A hacking group, called REF9135 by the Elastic Security Labs researchers, used the malware to attack a Europe-based cryptocurrency company.

The hackers used some evasion techniques to avoid being detected by defensive technologies during their attacks.

"Finally, we observed REF9135 changing its C2 domain once we began to collect the Stage 2 and 3 binaries for analysis. When making subsequent requests to the original server (crypto.hondchain[.]com), we received a 404 HTTP response status code (Not Found) and shortly after, a new C2 server was identified (starbucls[.]xyz)," the researchers said.

Rustbucket malware was first detected in April by researchers at Jamf when it was used by a hacking group called BlueNorOff in a series of cyber attacks.

Researchers described BlueNorOff as one of the subsets of North Korea's Lazarus Group, which is linked to a long list of high-profile cyberattacks.

Last month, multiple crypto-tracking experts told CNN that North Korean hackers were likely the culprit in the theft of at least $35 million from certain customers of Atomic Wallet, an Estonia-based company.

Atomic Wallet said the hacking incident affected "less than 1%" of its monthly users, but the company has not specified how much money might have been siphoned by North Korean hackers.

U.S. officials alleged that revenues from North Korea's illegal hacking activities are being used to fund about 50% of the country's nuclear ballistic missile program.

Representational Image Image by Pexels from Pixabay