RTM Locker gang target Linux.

Apr 27 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily newsletter that’s popping off like Snapchat AI.

Today’s hottest cyber security stories:

  • RTM Locker’s First Linux Ransomware
  • PrestaShop fixes bug that lets any backend user delete databases
  • Lazarus rises again with offshoot group BlueNoroff APT


Did you hear the news? The RTM Locker gang has decided to expand their horizons and target Linux machines with their latest ransomware creation! Looks like they’re taking their first baby steps into the open-source operating system world.

According to Uptycs, the new ransomware strain infects Linux, NAS, and ESXi hosts and was inspired by Babuk ransomware’s leaked source code. That’s some serious inspiration, huh? The RTM Locker guys sure know how to keep up with the latest trends!

What’s more, the group has a history of being super sneaky and staying under the radar by avoiding high-profile targets like critical infrastructure, law enforcement, and hospitals. They’re like the shy kid in class who doesn’t want to draw any attention to themselves!

But don’t be fooled by their timid demeanor, because the RTM Locker gang has some serious skills. They use a combo of ECDH on Curve25519 and Chacha20 to encrypt files, making it nearly impossible to crack.

And get this, their Linux flavor is specifically designed to go after ESXi hosts by shutting down all virtual machines running on a compromised host before encrypting the data. Talk about being thorough!

So, who knows what’s next for these cyber criminals? Maybe they’ll take on the entire open-source community! Or maybe they’ll just stick to quietly ransoming their victims and leaking their data.

One thing’s for sure, though, these guys are definitely not to be underestimated!


It looks like PrestaShop has released a new version that fixes a big ol’ vulnerability. You see, before this update, any back-office user could just waltz right in and mess with the SQL databases, no matter their permissions. That’s like giving your little cousin the keys to your Ferrari. Not smart.

Now, these back-office users are supposed to have limited access based on their roles, but apparently, that wasn’t cutting it. This flaw, dubbed CVE-2023-30839 (posh, right?), had a critical score of 9.9 on the CVSS v3.1 scale. Translation: it was baaaaad.

And get this, there’s no mitigation for it. Nada. Zilch. Zero. So, if you were using PrestaShop version 8.0.3 or older, you were basically playing Russian roulette with your online store’s database.

Sure, you had to have a user account to exploit this vulnerability, but let’s be real, online shops often have more staff than a Taylor Swift concert. So, the risk of a rogue or disgruntled employee causing some serious damage was pretty high.

And as if that wasn’t enough, this flaw opened up a whole can of worms for hackers. They could potentially inject some nasty code or backdoors, or even gain access to the SQL database. Yikes.

Anyway, long story short, if you were using PrestaShop before this update, you were just asking for trouble.

But hey presto, at least now you can breathe a little easier knowing your database is safe from meddling back-office users.


A new malware family has been spotted on macOS, and it’s like nothing you’ve seen before. The North Korea-linked BlueNoroff threat group, who are believed to be part of the Lazarus hacking crew, are the ones behind this little gem, which they’ve named RustBucket.

This multi-stage malware is a bit of a sneaky little devil, fetching additional payloads from its C2 server. The first stage of the malware is included in an unsigned application called Internal PDF Viewer. Once you override Gatekeeper, this thing gets to work trying to trick you into downloading the stage-two payload. Talk about crafty!

This is where things get really crazy. The second-stage payload poses as an Apple bundle identifier, and it shows you a decoy PDF, which includes information stolen from a real-life venture capital firm’s website. How’s that for an authentic touch?

The malware then contacts the C2 server to get the stage-three payload, which is a signed trojan written in the Rust language that runs on both x86 and ARM architectures. Once it’s got all this information, the malware starts collecting details about your system and sends it all back to the attacker.

Now, this isn’t just any old malware. Experts have discovered that this is the handiwork of BlueNoroff, a notorious sub-group of the Lazarus APT. They’ve used similar social engineering tactics and domains in previous campaigns, so this is definitely their style.

This is one tricky piece of malware, so you macOS users need to be extra vigilant. Block those malicious domains and use a genuine anti-malware solution.

Don’t let RustBucket corrode your soul!

So long and thanks for reading all the phish!

Recent articles