Hackers are using a fake PDF viewer to infect Macs with malware — how to stay safe

MacBook Pro 16-inch 2021 sitting on a patio table
(Image credit: Tom's Guide)

Hackers continue to set their sights on Macs and this time around, they’re using a new macOS malware to infect unsuspecting users.

As reported by The Hacker News, the North Korea-based BlueNoroff (a subgroup of the infamous Lazarus hacking group) is targeting Mac users with a new malware strain dubbed RustBucket.

First discovered by security researchers at the cybersecurity firm Jamf, RustBucket is a stage-one malware that is able to download additional payloads from a command and control (C&C) server controlled by the hackers behind this campaign.

If you use one of the best MacBooks or even a Mac Mini, you’re going to want to be careful when checking your email as the RustBucket malware is delivered via a fake PDF viewer application.

Disguised as an Internal PDF Viewer

The BlueNoroff hackers are using an unsigned application called “Internal PDF Viewer.app” to infect vulnerable Macs with the RustBucket malware. However, this internal PDF viewer app is just the first stage of the infection.

Once downloaded onto a Mac, RustBucket then retrieves the second-stage payload which is a signed application posing as a legitimate Apple bundle identifier from the hacker-controlled C&C server. To throw off potential victims, it also displays a decoy PDF with information from a legitimate venture capital firm.

From here, the malware then receives the stage-three payload which is a signed trojan that can run on both ARM and X86 systems since it’s written in the Rust programming language.

The RustBucket malware is capable of gathering system information from an infected Mac including a list of running processes, the current time and whether it’s running in a virtual machine.

In its report, Jamf provided further insight on the state of Mac malware, saying: “The malware used here shows that as macOS grows in market share, attackers realize that a number of victims will be immune if their tooling is not updated to include the Apple ecosystem. Lazarus group, which has strong ties to BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more APT groups start doing the same.”

How to keep your Mac safe from malware

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

Just like on one of the best Windows laptops, when it comes to keeping your Mac safe from malware, you want to be extremely careful when checking your inbox. PDFs and other attachments are often used by hackers to spread malware which is why you should avoid opening any files in emails sent from an unknown sender. Likewise, you shouldn’t click on any links these emails contain either.

Although MacOS comes with XProtect to detect and block malware from running on your Apple computer and Gatekeeper to ensure that all software is signed by a developer registered with Apple, Mac malware does slip through the cracks from time to time. This is why you should also consider using one of the best Mac antivirus software solutions on your Apple computers.

As Jamf pointed out in its report, we’ll likely see more state-sponsored hackers targeting Macs now that Apple’s computers have become increasingly popular. For this reason, Mac users now need to be just as careful as Windows users to avoid having their systems infected with malware and their personal and financial information stolen by hackers.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.