Recent observations from cybersecurity firm SentinelOne have shed light on North Korean threat actors’ evolving strategies in macOS malware campaigns. These hackers, associated with malware strains like RustBucket and KANDYKORN, are now seen combining elements from disparate attack chains to enhance their evasion techniques. Notably, the SentinelOne report links the distribution of KANDYKORN to the usage of RustBucket droppers, showcasing a sophisticated merging of tactics within these malicious operations. Additionally, the discovery ties a third macOS-specific malware, ObjCShellz, to the RustBucket campaign, further complicating the landscape of these cyber threats.
The RustBucket campaign, affiliated with the Lazarus Group, involves utilizing a backdoored version of a PDF reader app called SwiftLoader to load a next-stage Rust-written malware upon opening specific lure documents. In contrast, the KANDYKORN campaign is recognized for its multi-stage attack sequence, targeting blockchain engineers via Discord and deploying a memory resident remote access trojan. The integration of ObjCShellz as a remote shell executing commands from an attacker’s server adds another layer of sophistication to these operations. SentinelOne’s analysis also confirms the Lazarus Group’s utilization of SwiftLoader in disseminating KANDYKORN, echoing a trend highlighted in a Mandiant report regarding North Korean hacker groups collaborating and borrowing each other’s techniques and tools.
The collaboration among North Korean hacker groups poses a significant challenge for defenders, as highlighted by Mandiant’s report, due to their shared tooling and adaptive tactics. This evolving landscape includes the use of new SwiftLoader stager variants, such as an executable named EdoneViewer, which engages actor-controlled domains to potentially retrieve the KANDYKORN RAT. These developments underscore the challenges faced by cybersecurity experts, especially in tracking and countering the rapidly changing tactics of these collaborative adversaries.
Read more:
