We’ve been monitoring reports of a new malware strain targeted at devices running macOS that interacts with the command and control (C2) server to execute payloads. The malware is reportedly from a state-sponsored North Korean hacking group, BlueNoroff, a subsidiary of the Lazarus hacking group.

This guide will explain how the malware works and how to protect your macOS devices from it.

How RustBucket works

The first variant of the RustBucket malware disguises itself as a harmless PDF reader dubbed “Internal PDF Viewer.” While it looks like a regular PDF app, it’s indeed an AppleScript app designed to run some shell scripts that will download and run the second stage of the attack.

The PDF app functions as a regular PDF viewer, albeit lightweight, but with some underlying code allowing it to kickstart another stage of the attack upon getting the necessary instructions. Those instructions will come as a specific PDF file, making the attack dormant until a user tries to open the specific PDF designed for the attack.

Upon double-clicking the intended file, it brings up a pop-up notice asking the user to “use the dedicated app for internal employees.” Opening the PDF within the ‘Internal PDF Viewer’ program will work normally, but under the hood, the PDF actually executes the malicious code that connects the user’s computer to a remote command-and-control (C2) server.

Malicious actors can then send custom requests through the C2 server or collect information stealthily, allowing them to steal cryptocurrencies using techniques like keylogging.

At press time, the C2 server no longer responds, implying that the developers intentionally shut it down remotely for some reason. In any case, it’s imperative to protect one’s computer against the RustBucket malware to avoid similar exploits.

How to remove RustBucket from an infected Mac

Most antivirus programs have released patches for the vulnerability, so simply updating your anti-malware program and running a full system scan should remove RustBucket. While you can remove it manually, it’s an unnecessarily lengthy process with almost no chance of working.

You can prevent similar exploits by avoiding external PDF readers or calculators; the preinstalled programs on your macOS can handle those tasks excellently. If you must use one, ensure it’s available on the App Store from a trusted source and has mostly positive reviews.

While your Mac already protects you from exploits, you should always avoid shady websites and pirated online content, as they usually carry ads that lead to similar malware programs.