Cybersecurity research conducted by the illustrious team at Elastic Security Labs has brought to light a virulent new strain of the RustBucket malware, a notorious enemy of macOS-powered devices. It appears the cyber-nemesis has evolved, displaying an increased persistence on targeted endpoints and an unnerving ability to stealthily avoid antivirus programs.
The researchers reveal, "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed." The devious malware has also advanced its command-and-control infrastructure, subtly embedding itself within dynamic network systems.
Its mode of entry is decidedly straightforward: the unsuspecting victim downloads a seemingly innocent macOS installer file, little knowing it carries a malevolent passenger – a compromised PDF reader. The attack is activated when an ill-fated PDF file, cleverly weaponized, is opened using the tainted reader. Often delivered via phishing emails or masquerading as trustworthy links on social media platforms like LinkedIn, the RustBucket malware indeed presents a sinister threat.
RustBucket's distinctive persistence method, paired with its dynamic DNS domains for command-and-control, enables it to surpass most malware in its elusive nature.
"In the case of this updated RustBucket sample, it establishes its own persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware's binary to the following path /Users/<user>/Library/Metadata/System Update," the researchers elaborated.
