North Korean Hackers Innovate macOS Malware Tactics to Elude Detection

November 28, 2023

North Korean cyber adversaries behind macOS malware variants such as RustBucket and KANDYKORN have been seen to 'mix and match' distinct elements of the two different attack chains. They are leveraging RustBucket droppers to disseminate KANDYKORN. These observations were made by cybersecurity company SentinelOne, which also associated a third macOS-specific malware named ObjCShellz with the RustBucket campaign.

RustBucket is an activity cluster associated with the Lazarus Group. It uses a compromised version of a PDF reader app, called SwiftLoader, to load a subsequent stage malware written in Rust when a specially crafted lure document is viewed. On the other hand, the KANDYKORN campaign is a malicious cyber operation that targeted blockchain engineers of an undisclosed crypto exchange platform via Discord. This initiated a complex multi-stage attack sequence that resulted in the deployment of the eponymous full-featured memory resident remote access trojan.

The third element of the attack is ObjCShellz, disclosed earlier this month by Jamf Threat Labs. It serves as a later-stage payload acting as a remote shell executing shell commands sent from the attacker server. SentinelOne's further analysis of these campaigns has revealed that the Lazarus Group is using SwiftLoader to distribute KANDYKORN. This supports a recent report from Google-owned Mandiant about North Korean hacker groups increasingly using each other's tactics and tools.

Mandiant noted, "The DPRK's cyber landscape has evolved to a streamlined organization with shared tooling and targeting efforts. This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability." This includes the use of new variants of the SwiftLoader stager that pretends to be an executable named EdoneViewer but, in fact, contacts a domain controlled by the actor to likely fetch the KANDYKORN RAT, based on overlaps in infrastructure and the tactics used.

The revelation comes as the AhnLab Security Emergency Response Center (ASEC) linked Andariel – a subgroup within Lazarus – to cyber attacks exploiting a security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) to install NukeSped and TigerRAT backdoors.

Related News

• CISA Mandates Federal Agencies to Address 'Looney Tunables' Linux Vulnerability
• Kinsing Malware Exploits Apache ActiveMQ Flaw to Attack Linux Systems
• Stealthy EDR Bypass Enabled by Dangerous Apache ActiveMQ Exploit
• TellYouThePass Ransomware Exploits Apache ActiveMQ RCE Vulnerability
• HelloKitty Ransomware Targets Apache ActiveMQ Servers

Latest News

• Unpatched Vulnerabilities Detected in Ray Open Source Framework for AI/ML
• Google Chrome Rolls Out Urgent Security Update to Address 5th Zero-Day Exploit in 2023
• Critical ownCloud Vulnerability Under Active Exploitation
• General Electric and DARPA Data Breach Raises National Security Questions
• Healthcare Behemoth Henry Schein Targeted Twice by BlackCat Ransomware