In the Realm of Rust: A Journey into Reversing RustBucket on macOS

Presented at Objective by the Sea version 6.0 (2023), Oct. 12, 2023, 10:10 a.m. (40 minutes).

RustBucket is a multi-stage malware discovered earlier this year by Jamf Threat Labs and has been attributed to BlueNoroff APT group, a subgroup of Lazarus. In this talk, we will investigate the campaigns employed by BlueNoroff with a focus on reversing the various backdoor components of the malware. We will share insights into how we detected RustBucket on macOS, along with valuable threat-hunting techniques. Subsequently, we will conduct a thorough analysis of the malware, aiming to gain an understanding of the objectives pursued by the threat actors. \n\n Throughout the talk, we will present detection strategies that defenders can utilize to identify malicious activity within their own environments. As a bonus, we will also be demo’ing and releasing a new tool titled SpriteTree which uses the SpriteKit Framework (Apple’s 2D game framework) to best visualize and interact with data exported from ESLogger.

Presenters:

  • Ferdous Saljooki - Detection Developer at Jamf
    Ferdous Saljooki is a Detection Developer for Jamf where he hunts and analyzes threats on macOS to build reliable detections. Prior to joining Jamf, he worked for organizations as a threat hunter and researcher focused on application and network threats. Ferdous has a passion for macOS security and enjoys researching malware and understanding system internals to better protect users.
  • Jaron Bradley - macOS Detections Team Lead at Jamf
    Jaron Bradley has worked on various incident response, engineering, and threat hunting teams throughout his career where he has focused mostly on Unix-based intrusions. He is the author of OS X Incident Response Scripting and Analysis and manages themittenmac.com — a website dedicated to helping those further understand threat hunting on macOS — in his free time.

Links:

Similar Presentations: