New Crypto Hacking Threat for MacOS Users

Reading Time: 2 minutes
  • A new crypto hacking threat targeting MacOS users has emerged from a North Korean hacking group
  • BlueNoroff is using a recently discovered malware, RustBucket, to steal computer system information
  • It then uses this information to take cryptocurrencies from user accounts

A new threat for crypto holders using MacOS devices has emerged, with North Korean group BlueNoroff behind the new threat, which was discovered last month. BlueNoroff typically embeds Word documents, PDFs or PowerPoint files with malware, using second-stage malware to steal cryptocurrencies from unsuspecting recipients, and it seems the group is using a new malware, RustBucket, to aid in its endeavors.

BlueNoroff Targeted Crypto Startups in 2022

BlueNoroff is a prominent division within North Korea’s Reconnaissance General Bureau, playing a pivotal role in advancing the regime’s financial and geopolitical interests through cyber operations. The group began targeting successful cryptocurrency startups in 2022, with the goal being to build a map of interactions between individuals in order to carry out high-quality social engineering attacks that came across as totally normal interactions. 

The group shot to notoriety in 2022 when the United States State Department offered a substantial reward of $10 million for any valuable information regarding BlueNoroff and other state-sponsored hacking groups, alongside Andariel, APT38, Guardians of Peace, and Lazarus Group. It had already been subject to sanctions in 2018 over the WannaCry hacking incident.

It seems that BlueNoroff’s targeting of the crypto sector has morphed to include individuals thanks to its use of RustBucket, with Paris-based threat intelligence company Sekoia first detecting its use in December 2022. Apple’s dominance in the desktop computer market has grown to 31% in the United States, making it a more attractive target.

Ignore PDFs You Weren’t Expecting

The group carries out its attacks by sending tailored emails which lure recipients into downloading a purported PDF reader and opening a specific PDF file. However, unbeknownst to the victims, the PDF file contains malicious code designed to trigger a connection to the command-and-control server. Subsequently, the server proceeds to download the backdoor component of the RustBucket kill chain which it uses to gather system information and fire off to a command-and-control server.

The hackers can then use this information to infiltrate the system and easily extract cryptocurrencies through exchange accounts. To mitigate against this threat, ensure you have two-factor authentication turned on for all crypto accounts and email addresses, never stay logged into exchange accounts longer than you need to, and don’t open any suspicious-looking emails.