We recently discovered a new variety of malicious loader that targets macOS, presumably linked to the BlueNoroff APT gang and its ongoing campaign known as RustBucket. The threat actor is known to attack financial organizations, particularly companies, whose activity is in any way related to cryptocurrency, as well as individuals who hold crypto assets or take an interest in the subject. Information about the new loader variant first appeared in an X (formerly Twitter) post.
Original X (formerly Twitter) post about the new loader
Earlier RustBucket versions spread its malicious payload via an app disguised as a PDF viewer. By contrast, this new variety was found inside a ZIP archive that contained a PDF file named, “Crypto-assets and their risks for financial stability”, with a thumbnail that showed a corresponding title page. The metadata preserved inside the ZIP archive suggests the app was created on October 21, 2023.
App structure
Document thumbnail
Exactly how the archive spread is unknown. The cybercriminals might have emailed it to targets as they did with past campaigns.
The app had a valid signature when it was discovered, but the certificate has since been revoked.
Signature #1: ValidChain #1:
Verified: True
Serial: 6210670360873047962
Issu ..
Support the originator by clicking the read the rest link below.
