North Korean Hackers Unleash New Malware Targeting Apple’s MacOS

A North Korea flag flutters next to concertina wire at the North Korean embassy in Kuala Lumpur


  • Researchers said a new Rustbucket malware variant evades all major anti-malware systems
  • The new North Korean malware uses persistence mechanisms and connects to malicious sites
  • A hacking group used the new malware to penetrate a European cryptocurrency firm

A new malware developed by North Korean hackers that targets Apple MacOS users and cryptocurrency companies has been discovered.

Security news website Decipher reported that the newly-discovered malware was a variant of the Rustbucket MacOS malware associated with a subsidiary of North Korea’s notorious Lazarus hacking group.

The latest variant reportedly has new persistence mechanisms and evades all major anti-malware systems.

According to the report, it uses a three-stage model to execute its final payload and gain persistence on targeted devices.

“In the case of this updated RUSTBUCKET sample, it establishes its own persistence by adding a plist file at the path /Users//Library/LaunchAgents/, and it copies the malware’s binary to the following path /Users//Library/Metadata/System Update,” researchers from the Elastic Security Labs said in their analysis of the North Korean malware.

The persistence mechanism reportedly connects to a domain that is known to be malicious and used in other attack campaigns, including phishing campaigns.

Elastic Security Labs researchers went deep into the malicious domains and other infrastructure where the new Rustbucket variant’s persistence mechanism is connected.

“There is a specific User-Agent string (cur1-agent) that is expected when downloading the Stage 2 binary, if you do not use the expected User-Agent, you will be provided with a 405 HTTP response status code. It also appears that the campaign owners are monitoring their payload staging infrastructure. Using the expected User-Agent for the Stage 3 binary download (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)), we were able to collect the Stage 3 binary,” the researchers said.

A hacking group, called REF9135 by the Elastic Security Labs researchers, used the malware to attack a Europe-based cryptocurrency company.

The hackers used some evasion techniques to avoid being detected by…