The North Korean threat actor behind macOS malware strains such as RustBucket and KANDYKORN leverages RustBucket droppers to distribute KANDYKORN, “mixing and matching” different elements from two different attack chains. It has been observed that.
of findings A third macOS-specific malware called ObjCShellz, by cybersecurity firm SentinelOne, is also associated with the RustBucket campaign.
RustBucket refers to an activity cluster linked to a Lazarus group. In this activity cluster, a backdoor version of a PDF reader app called SwiftLoader, when viewed with a specially crafted decoy document, is used as a conduit to load the next stage of malware written in Rust.
Meanwhile, the KANDYKORN campaign refers to a malicious cyber operation in which blockchain engineers at an anonymous crypto exchange platform were targeted via Discord and launched a sophisticated multi-stage attack sequence that led to the deployment of a fully functional memory of the same name. A resident remote access trojan.
The third piece of the attack puzzle is ObjCShellz. This was revealed by Jamf Threat Labs earlier this month as a late payload that acts as a remote shell that executes shell commands sent from the attacker’s server.
Further analysis of these campaigns by SentinelOne revealed that the Lazarus group utilized SwiftLoader to distribute KANDYKORN. This confirms a recent report from Google-owned Mandiant that various hacker groups in North Korea are increasingly borrowing tactics and tools from each other.
“North Korea’s cyber environment has evolved into a streamlined organization with shared tools and targeting efforts,” Mandiant said. “This flexible approach to the task makes it difficult for defenders to track, identify, and thwart malicious activity, while allowing this cooperative adversary to act more quickly, adaptably, and stealthily.” You will be able to do it.”
This includes using a new variant of the SwiftLoader stager that masquerades as an executable named EdoneViewer, but actually connects to attacker-controlled domains to create duplicate infrastructure and You may get KANDYKORN RAT based on your tactics.
This disclosure was made as AhnLab Security Emergency Response Center (ASEC). involved Andariel, a subgroup within Lazarus, conducted a cyberattack that exploited a security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) to install NukeSped and TigerRAT backdoors.