SecureList by Kaspersky identified a novel loader named "EdoneViewer," specifically targeting macOS devices. EdoneViewer is believed to be associated with the DPRK-nexus Bluenoroff "RustBucket" campaign, which seems to be still active and undergoing constant technique updates.
Kaspersky's report indicates that the discovery of this new variant took place within a ZIP archive containing a PDF file titled "Crypto-assets and their risks for financial stability." This seemingly benign file serves as a diversionary tactic. Upon closer inspection, the ZIP archive's metadata reportedly reveals a creation date consistent with 21 October 2023.
Kaspersky's analysis sheds light on the loader's functionality:
Once launched, the malware downloads the mentioned PDF file and opens it, providing a diversion.
While diverting the victim's attention to the PDF, the loader sends a POST request to the attacker-controlled server and saves the response to a file named ".pw." According to Kaspersky's analysis, the .pw file is indeed a trojan, with its signature known since last August.
The .pw Trojan collects system information - computer name, OS version, time zone, device startup date, OS installation date, current time, and a list of running processes - and sends it to the C2, a domain name - on-global[.]xyz - recently registered on 20 October 2023, the day before the presumed creation of the PDF file that serves as a decoy.
Consistent with previous reporting on RustBucket, this development appears to be part of a broad financially-motivated campaign. Cryptocurrency holders and blockchain engineers at cryptocurrency exchanges are likely to be the primary targets.
For additional context and intelligence on the RustBucket campaign, see the post we published last week.