North Korean Hackers Innovate macOS Malware Tactics to Elude Detection

November 28, 2023

North Korean cyber adversaries behind macOS malware variants such as RustBucket and KANDYKORN have been seen to 'mix and match' distinct elements of the two different attack chains. They are leveraging RustBucket droppers to disseminate KANDYKORN. These observations were made by cybersecurity company SentinelOne, which also associated a third macOS-specific malware named ObjCShellz with the RustBucket campaign.

RustBucket is an activity cluster associated with the Lazarus Group. It uses a compromised version of a PDF reader app, called SwiftLoader, to load a subsequent stage malware written in Rust when a specially crafted lure document is viewed. On the other hand, the KANDYKORN campaign is a malicious cyber operation that targeted blockchain engineers of an undisclosed crypto exchange platform via Discord. This initiated a complex multi-stage attack sequence that resulted in the deployment of the eponymous full-featured memory resident remote access trojan.

The third element of the attack is ObjCShellz, disclosed earlier this month by Jamf Threat Labs. It serves as a later-stage payload acting as a remote shell executing shell commands sent from the attacker server. SentinelOne's further analysis of these campaigns has revealed that the Lazarus Group is using SwiftLoader to distribute KANDYKORN. This supports a recent report from Google-owned Mandiant about North Korean hacker groups increasingly using each other's tactics and tools.

Mandiant noted, "The DPRK's cyber landscape has evolved to a streamlined organization with shared tooling and targeting efforts. This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability." This includes the use of new variants of the SwiftLoader stager that pretends to be an executable named EdoneViewer but, in fact, contacts a domain controlled by the actor to likely fetch the KANDYKORN RAT, based on overlaps in infrastructure and the tactics used.

The revelation comes as the AhnLab Security Emergency Response Center (ASEC) linked Andariel – a subgroup within Lazarus – to cyber attacks exploiting a security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) to install NukeSped and TigerRAT backdoors.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.