Like DPRK soldiers
In April 2023, fellow security researchers at Jamf published a report on Bluenoroff’s RustBucket, a newly observed malware targeting macOS platform. Sekoia.io analysts further investigated Bluenoroff’s infrastructure and share their findings in this report.
Bluenoroff is a North Korea-nexus intrusion set, allegedly subordinated to RGB’s Bureau 121 tasked with revenue generation since at least 2015. Since 2017, Bluenoroff was observed conducting financially-driven campaigns targeting cryptocurrency exchanges and venture capital related entities in Europe, Asia, the U.S. and the UAE.
Since the end of 2021 and through 2022, Bluenoroff continuously used the same TTPs. However, Sekoia.io analysts observed recent modifications, as described in the report previously referenced.
Bluenoroff’s gone macOS
Since at least December 2022, Bluenoroff was observed leveraging RustBucket, a Rust and Objective-C written malware targeting macOS running systems. This recent Bluenoroff activity illustrates how intrusion sets turn to cross-platform language in their malware development efforts, further expanding their capabilities highly likely to broaden their victimology. While other DPRK-nexus intrusion sets, including Lazarus, Kimsuky and more recently Reaper were already reported targeting macOS, it is the first time Bluenoroff was observed targeting macOS users, to the best of our knowledge.
The RustBucket infection chain consists of a macOS installer that installs a backdoored, yet functional, PDF reader. The fake PDF reader then requires opening a specific PDF file that operates as a key to trigger the malicious activity.
When opened in a classical PDF reader, the PDF document displays a message asking the user to open