Threat Research

The DPRK strikes using a new variant of RUSTBUCKET — Elastic Security Labs

Securonix

Elastic Security Labs has detected a new variant of the RustBucket malware targeting macOS, with added persistence and signature-reduction tactics in active development. The REF9135 operations attributed to the Lazarus Group (DPRK) show shifting infrastructure to evade detection and ongoing financially motivated attacks against cryptocurrency service providers. #RustBucket #REF9135 #LazarusGroup #BlueNorOff #DangerousPassword #DPRK

Keypoints

  • The RUSTBUCKET family is in an active development phase, adding built-in persistence and attempting signature reduction.
  • REF9135 actors continuously shift infrastructure to evade detection and response.
  • The DPRK (Lazarus Group) targets cryptocurrency service providers for financial gain.
  • Elastic Defend provides protection against REF9135, with a published signature to prevent this malware variant.
  • The new variant adds a macOS persistence mechanism via LaunchAgents and a dedicated plist.
  • Evidence ties REF9135 to a broader Lazarus Group operation with changing C2 infrastructure and TLS fingerprints.

MITRE Techniques

  • [T1059.005] AppleScript – Stage 1 uses AppleScript to download Stage 2 from C2 via curl. ‘During Stage 1, the process begins with the execution of an AppleScript utilizing the /usr/bin/osascript command. This AppleScript is responsible for initiating the download of the Stage 2 binary from the C2 using curl.’
  • [T1105] Ingress Tool Transfer – Stage 1 downloads Stage 2 binary from the C2 using curl. ‘The AppleScript is responsible for initiating the download of the Stage 2 binary from the C2 using cURL.’
  • [T1071.001] Web Protocols – The malware communicates with C2 over HTTP POST with a specific User-Agent and payload. ‘The binary sets the User-Agent string as mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) and includes the string pw in the body of the HTTP request.’
  • [T1059.004] macOS – Stage 3 uses macOS APIs (NSFileManager, NSUUID, NSTask) to write and execute the payload. ‘The malware utilizes specific macOS APIs for various operations. It begins with NSFileManager’s temporaryDirectory function to obtain the current temporary folder, then generates a random UUID using NSUUID’s UUID.init method. Finally, the malware combines the temporary directory path with the generated UUID to create a unique file location and writes the payload to it.’
  • [T1041] Exfiltration Over C2 Channel – Data gathered from the host is sent to the C2 via POST. ‘The malware transmits the gathered data via a POST request. The request is accompanied by a User-Agent string formatted as Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).’
  • [T1082] System Information Discovery – Stage 3 collects system information (computer name, active processes, timestamps, boot time, etc.). ‘The malware proceeds to gather comprehensive system information, including: Computer name; List of active processes; Current timestamp; Installation timestamp; System boot time; Status of all running processes within the system.’
  • [T1057] Process Discovery – Stage 3 enumerates active processes as part of information gathering. ‘List of active processes’ included in the system information.
  • [T1547.001] Boot or Logon Autostart Execution: Launch Agent – Persistence via LaunchAgents plist com.apple.systemupdate.plist and related binaries. ‘it establishes its own persistence by adding a plist file at the path /Users//Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware’s binary to the path /Users//Library/Metadata/System Update.’
  • [T1041] Exfiltration Over C2 Channel – Reiterated for command/data exchange with C2 via POST, including User-Agent details. ‘The Stage 3 binary transmits data via POST with a specific UA string.’

Indicators of Compromise

  • [Domain] REF9135 C2 domains – webhostwatto.work[.]gd, crypto.hondchain[.]com, starbucls[.]xyz, jaicvc[.]com, docsend.linkpc[.]net, and 2 more domains
  • [IPv4] REF9135 C2 IP addresses – 104.168.167[.]88, 64.44.141[.]15
  • [x509-certificate] TLS fingerprints – jaicvc[.]com (788261d948177acfcfeb1f839053c8ee9f325bd6fb3f07637a7465acdbbef76a), webhostwatto.work[.]gd (1031871a8bb920033af87078e4a418ebd30a5d06152cd3c2c257aecdf8203ce6)
  • [SHA-256] RustBucket and related samples – 9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747, 7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387, ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41, de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500, 4f49514ab1794177a61c50c63b93b903c46f9b914c32ebe9c96aa3cbc1f99b16, fe8c0e881593cc3dfa7a66e314b12b322053c67cbc9b606d5a2c0a12f097ef69, 7887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8
  • [SHA-256] Stage 2 payload – 7887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8

Read more: https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint