On 20th May, Sekoia.io published a report regarding North Korea’s Bluenoroff’s RustBucket, a newly found virus attacking Mac operating systems. North Korean hacking groups are among one the most proactive hackers who have been busy targeting loopholes and stealing funds.
The North Korean-linked Bluenoroff was used to steal crypto from users. Bluenoroff’s Rustbucket remained a crucial part of the company’s revenue generation since 2015 by installing a backdoor pdf reader. The fake pdf reader then requires opening a specific pdf file that operates as a facilitator to trigger fraudulent or malicious activity. Additionally, Bluenoroff conducted financially driven campaigns attacking cryptocurrency exchanges and venture capital. It became a global threat when the virus targeted several users from Europe, Asia, the United States, and the United Kingdom.
According to the report, Bluenoroff is the first DPRK-nexus intrusion set to have been seen specifically targeting macOS users, despite Lazarus, Kimsuky, and more recently Reaper having also been disclosed. The most lethal thing about this virus is that it can easily bypass the Mark-of-the-Web (MOTW) flag. For those who are not aware, the MOTW is a security feature through which Windows warns the user when they attempt to open a file they have downloaded from the internet. To do this, optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats were used. Bluenoroff also adopted this method to evade security measures.
Additionally, they have created several fake domains that are similar to venture capital and bank domains. Most of these domains copy Japanese venture capital firms which shows that the hacking group has an interest in Japanese financial companies. A case study of UAE was also mentioned in the report where a victim received a document file named Shamjit Client Details Form.doc” on September 2, 2022. According to the report, the file contained a malicious Word document.