The team of researchers Kaspersky is closely following the behavior and evolution of a hacker group known as BlueNoroff.
The collective, affiliate of the much more famous North Korean hackers of Lazarusis currently involved in spreading a trojan known as RustBucketwhich targets users macOS. Although this malicious agent is already known to researchers, its evolution is causing serious concern to professionals.
The BlueNoroff hackers demonstrated astonishing skill, displaying expertise in the context of reverse engineering, literally managing to dismantle legitimate software and then rebuild it with modifications useful for their purposes. In fact, these cybercriminals operate in contexts such as ATM, Bank services, casino and platforms that deal cryptocurrencies.
BlueNoroff and RustBucket: the strategy for spreading the trojan changes
However, what has caught Kaspersky’s attention in recent days has been a substantial innovation in the aforementioned RustBucket campaign. The trojan in question, in fact, until recently was spread through a PDF reader.
The researchers, however, discovered that BlueNoroff works directly by spreading a ZIP archive with a file PDF. This document is presented under the name “Crypto-assets and their risks for financial stability” or something very similar.
In reality, once the file is executed, it launches the trojan. At this point, the malware works by stealing information from the infected machine and sending it to hackers. The stolen data included:
- Computer name
- Operating system version
- Jet lag
- Device startup date
- Operating system installation date
- Current time
- List of running processes.
Depending on the case, the trojan can proceed with sending other files, pause, or delete itself if the objective does not fall within the canons decided by BlueNoroff.
Although at the moment most of anti-malware e antivirus is able to identify this malicious agent, users are always advised to maintain maximum attention with respect to it suspicious email attachments.