New Mac Malware, Possibly From North Korea, Masquerades as PDF Viewer


Protect Your Access to the Internet

It looks like North Korean hackers are back with another macOS malware, which is circulating via a PDF viewer app. 

Security company Jamf spotted(Opens in a new window) the malware, dubbed “RustBucket,” arriving through an app called “Internal PDF Viewer.” The app itself works as a functioning PDF viewer. Interestingly, it will only try to infect the Mac with the full attack if it runs the correct PDF file, likely as a way to prevent discovery from security researchers and antivirus software.  

the malicious app.

(Credit: Jamf)

Jamf discovered one of the correct PDF files, titled “InvestmentStrategy(Protected).pdf.” If opened with the malicious PDF viewer, the user will encounter a 9-page document about a venture capital firm looking to invest in different tech startups. 

What happen when you open up the file.

(Credit: Jamf)

Hence, the hackers are likely targeting victims through phishing messages about investment opportunities. But in reality, the malicious PDF viewer will secretly start communicating with a hacker-controlled server once it reads the correct PDF file. It can then download a new malicious payload at 11.2MB in size that features code to attack Arm-based and Intel-based Macs. 

“Upon initial execution, it performs a handful of system recon commands,” Jamf said in the report. “Within this module is the ability to look at the basic info about the system, process listing, current time and whether or not it’s running within a [virtual machine].”

The hacker-controlled server can then direct the malware to download and execute additional malicious payloads over the Mac. 

How the attack works.

(Credit: Jamf)

The good news is that the app itself is unsigned, and will only run if the user manually overrides Apple’s built-in Gatekeeper(Opens in a new window) safeguard, which will automatically warn you about running untrusted software programs downloaded from the internet. 

Jamf also noticed the malware shares technical similarities with other attacks tied to “BlueNoroff,” a subgroup that works under the North Korean hacking group Lazarus, perhaps best known for the 2014 Sony Pictures breach. 

Recommended by Our Editors

Lazarus has since been found focused on hacking cryptocurrency and financial companies…