North Korean hackers are now targeting Mac users with a new strain of malware called RustBucket, Tom's Guide tells us in a report.

What is RustBucket?

First discovered by cybersecurity firm Jamf, RustBucket is a stage-one virus that downloads further payloads from a command and control server controlled by hackers. The infection is distributed via a bogus PDF viewer application called "Internal PDF Viewer.app." 

Once downloaded, RustBucket fetches the second-stage payload, a signed application masquerading as a genuine Apple package identification, and then the third-stage payload, a signed trojan.

What is RustBucker capable of?

RustBucket can collect system information from an infected Mac. Jamf has warned that as macOS gains market share, advanced persistent threat (APT) groups will begin to target it. 

Mac users should exercise caution while checking their inboxes, avoid opening attachments in emails from unknown senders, and consider using Mac antivirus software solutions.

Who is behind this new strain of malware?

The Hacker News reports that the RustBucket malware is thought to have been created by the North Korean threat actor BlueNoroff, a subgroup of the Lazarus cluster. 

The victim must manually override Gatekeeper defenses for the attack to succeed. BlueNoroff is recognized for carrying out sophisticated cyber-enabled heists against the SWIFT system and cryptocurrency exchanges. 

It has also changed its attack strategy in recent months, utilizing job-related lures to deceive email recipients into entering their credentials on bogus landing pages.

Read Also: Illegal Crypto Financing Activities Pose National Security Risks, US Regulator Pushes to End Anonymity

Jamf's discovery of macOS malware is another example of threat actors changing their arsenals to handle cross-platform malware utilizing programming languages such as Go and Rust. 

More Cybercriminal Ring Linked

The Lazarus Group, an umbrella name for a collection of state-sponsored and criminal hacking outfits, is also tied to a cascading supply chain attack that weaponized trojanized installers of the legitimate program X_TRADER.

Kimsuky is another prominent threat actor, a subgroup tracked by Google's Threat Analysis Group (TAG) as ARCHIPELAGO. 

ARCHIPELAGO has been in operation since 2012. It is aimed at people well-versed in North Korean policy issues such as sanctions, human rights, and non-proliferation.

We reported earlier this month that, to battle ARCHIPELAGO, Google had implemented several safeguards, including adding newly detected harmful websites and domains to Safe Browsing, which sends notifications to specific persons, among other measures.

Like many other malicious actors, ARCHIPELAGO has changed its phishing strategies over time. They sent conventional phishing emails disguised as Google Account security alerts for numerous years. 

How Mac Users Can Defend Themselves

Mac users must now exercise the same caution as Windows users in order to avoid having their devices infected with malware and having their personal and financial information stolen by hackers.

Cybersecurity experts urge that all software be kept up to date, that each account has a strong and unique password, and that strange emails and attachments be avoided.

Stay posted here at Tech Times.

Related Article: [BEWARE] YouTube-Impersonating Phishing Emails Now Rampant! Here's What Google Reveals