TheNorth Korea-linked BlueNoroff hacking collective has been busy attacking macOS users with a malware called RustBucket. The malware installs a backdoor PDF reader.
Hackers are using the malware to steal crypto from users.
RustBucket Targets macOS
Security researchers at Jamf published a report on the malware, which was later further analyzed by Sekoia.io.
The latter states,
“Since 2017, BlueNoroff was observed conducting financially-driven campaigns targeting cryptocurrency exchanges and venture capital-related entities in Europe, Asia, the U.S., and the UAE.”
The BlueNoroff-created malware has been focused on revenue generation since 2015. BlueNoroff has been leveraging RustBucket, a malware that uses Rust and Objective C to target macOS. Sekoia explains the attack as follows,
“The RustBucket infection chain consists of a macOS installer that installs a backdoored, yet functional, PDF reader. The fake PDF reader then requires opening a specific PDF file that operates as a key to trigger the malicious activity.”
BlueNoroff Has Carried Out Attacks Globally
BlueNoroff has reached a global level of threat in 2022, targeting crypto startups in the U.S., Russia, China, India, the U.K., Ukraine, Poland, the Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.
The hacking group also posed as Japanese VCs and banks in late 2022, creating dozens of fake domains. The group once used Word documents to inject malware but has since been improving its technique.
The U.S. Department of the Treasury had sanctioned the group as far back as 2019, but it has done little to stop the group. BlueNoroff is only one part of North Korea’s extensive cyber warfare operations, which have frequently made the news for their exploits.
North Korea-linked Hackers Stole $1.7B in 2022
North Korea-linked hackers have been busy carrying out their operations for a long time. 2022 was a particularly notable year, as they managed to steal about $1.7 billion in crypto from various entities. Chainalysis noted that the figure quadrupled from 2021 when they stole $429 million.
The United Nations released a report stating that the funds were going towards funding its missile program. The United States has also sanctioned addresses allegedly linked to North Korea.