Keypoints
- Discovery: A macOS loader tied to BlueNoroff/RustBucket was delivered in a ZIP containing a PDF decoy and an app named EdoneViewer.
- Delivery and disguise: The archive preserved metadata (creation date Oct 21, 2023) and used a decoy PDF titled “Crypto-assets and their risks for financial stability” to trick targets.
- Code signing: The EdoneViewer app was validly signed (certificate later revoked) and is a universal Swift binary for both Intel and Apple Silicon.
- Decryption and execution: The main function CalculateExtameGCD XOR-decrypts an embedded payload, which is AppleScript that assembles and runs a shell command while printing benign terminal messages to distract analysis.
- Shell-stage actions: The assembled command downloads and opens a benign PDF, sends a POST to the C2 hxxp://on-global[.]xyz and saves the response to /Users/Shared/.pw, then sets permissions and executes it with the C2 address as an argument.
- .pw Trojan behavior: .pw is a universal binary that collects system info (computer name, OS version, time zone, startup/install dates, current time, running processes) every minute and awaits C2 commands (0x0 = save & run .pld, 0x1 = delete & shut down, other = keep waiting).
- Follow-up: On 0x0 the Trojan writes a file .pld to /Users/Shared/, makes it executable and runs it; no additional commands were observed during analysis, and the Trojan is now detectable by most anti-malware engines.
MITRE Techniques
- [T1140] Deobfuscate/Decode Files or Information – The loader performs XOR decryption of an embedded payload: ‘Decryption of the XOR-encrypted payload is handled by the main function, CalculateExtameGCD.’
- [T1059] Command and Scripting Interpreter – The decrypted payload is AppleScript that assembles and runs shell commands: ‘The decrypted payload has the AppleScript format:’ and ‘The script assembles and runs the following shell command:’
- [T1105] Ingress Tool Transfer – The shell-stage downloads files and retrieves a Trojan from the server: ‘Downloads a PDF file, save it at /Users/Shared/Crypto-assets and their risks for financial stability.pdf, and opens it.’ and ‘Sends a POST request to the server and saves the response to a hidden file named “.pw” and located at /Users/Shared/’.
- [T1071.001] Application Layer Protocol: Web Protocols – The loader communicates with a C2 over HTTP(S) using POST requests to hxxp://on-global[.]xyz: ‘Sends a POST request to the server and saves the response to a hidden file named “.pw”…’; domain: ‘hxxp://on-global[.]xyz’.
- [T1036] Masquerading – The campaign uses a PDF decoy and an app presented as a PDF viewer to appear benign: ‘Earlier RustBucket versions spread its malicious payload via an app disguised as a PDF viewer’ and the ZIP contained a PDF named ‘Crypto-assets and their risks for financial stability’.
Indicators of Compromise
- [Domain] C2 domain – hxxp://on-global[.]xyz (registered Oct 20, 2023)
- [File name / Path] Decoy PDF and saved files – “/Users/Shared/Crypto-assets and their risks for financial stability.pdf”, “/Users/Shared/.pw”, “/Users/Shared/.pld”
- [File / Binary] App and Trojan names – EdoneViewer (signed Swift universal executable), .pw (downloaded Trojan binary)
- [Certificate fingerprint] Code signing SHA-1 – da96876f9535e3946aff3875c5e5c05e48ecb49c (Developer ID Application: Northwest Tech-Con Systems Ltd)
- [Timestamps / Metadata] App creation/registration dates – app metadata suggests creation on 21 Oct 2023; C2 domain registered 20 Oct 2023
A universal Swift app named EdoneViewer was packaged inside a ZIP alongside a decoy PDF. The app carried a valid Developer ID signature (SHA-1 fingerprint da96876f9535e3946aff3875c5e5c05e48ecb49c) and contains both Intel and Apple Silicon binaries. Its main routine, CalculateExtameGCD, XOR-decrypts an embedded payload while emitting benign terminal output to distract analysis; the decrypted payload is AppleScript that assembles and executes a shell command.
The assembled shell command performs three stage actions: it downloads and opens a benign PDF to serve as a decoy; it issues a POST to the C2 domain hxxp://on-global[.]xyz and writes the server response to /Users/Shared/.pw; then it sets execute permissions and runs the .pw file with the C2 address as an argument. The .pw binary is a previously observed universal macOS Trojan that collects system metadata (computer name, OS version, time zone, startup/install dates, current time, running processes) and transmits it to C2 in one-minute cycles.
The Trojan expects numeric commands from the server: 0x0 causes it to write the received payload to /Users/Shared/.pld, mark it read/write/execute and run it; 0x1 causes it to delete the local copy and shut down; any other value results in continued waiting. During analysis no follow-up commands were observed. The C2 domain was newly registered (20 Oct 2023), the app certificate has since been revoked, and the Trojan is currently detectable by most anti‑malware engines.
Read more: https://securelist.com/bluenoroff-new-macos-malware/111290/