The DPRK strikes using a new variant of RUSTBUCKET
2023-06-29 • Elastic •
https://www.elastic.co/kr/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
Elastic reports an active DPRK/REF9135 campaign using a newly observed RUSTBUCKET macOS variant against a cryptocurrency payment services provider. The malware family, previously attributed to BlueNorOff, had added built-in persistence and reduced signature detection; the newly found sample was undetected by VirusTotal engines at publication. The infection chain uses AppleScript and curl to retrieve a Swift Stage 2 payload from C2, then runs a Rust FAT Stage 3 binary that collects process and system information, posts it to C2, and can download and execute Mach-O binaries or shell scripts. Elastic attributes the observed intrusions with high confidence to Lazarus Group/DPRK based on host, binary, network, victimology, and infrastructure overlaps.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | crypto.hondchain.com | 2023-06-29 | 2023-07-05 |
| HASH | 7887638bcafd57e2896c7c16698e927… | 2023-06-29 | 2023-06-29 |
| HASH | 4f49514ab1794177a61c50c63b93b90… | 2023-06-29 | 2023-06-29 |
| HASH | 788261d948177acfcfeb1f839053c8e… | 2023-06-29 | 2023-06-29 |
| HASH | fe8c0e881593cc3dfa7a66e314b12b3… | 2023-06-29 | 2023-06-29 |
| HASH | de81e5246978775a45f3dbda43e2716… | 2023-06-29 | 2023-06-29 |
| HASH | 1031871a8bb920033af87078e4a418e… | 2023-06-29 | 2023-06-29 |
| URL | https://webhostwatto.work.gd | 2023-06-29 | 2023-06-29 |
| DOMAIN | docsend.linkpc.net | 2023-06-29 | 2023-06-29 |
| DOMAIN | webhostwatto.work.gd | 2023-06-29 | 2023-06-29 |
| DOMAIN | jaicvc.com | 2023-06-29 | 2023-06-29 |
| IPv4 | 64.44.141.15 | 2023-06-29 | 2023-06-29 |
| HASH | 7fccc871c889a4f4c13a977fdd5f062… | 2023-05-22 | 2023-06-29 |
| HASH | ec8f97d5595d92ec678ffbf5ae1f60c… | 2023-05-22 | 2023-06-29 |
| HASH | 9ca914b1cfa8c0ba021b9e00bda71f3… | 2023-05-22 | 2023-06-29 |
| IPv4 | 104.168.167.88 | 2023-05-22 | 2023-06-29 |