North Korean Cybercriminals are Manipulating macOS Malware Strategies to Evade Detection

    SentinelOne’s New Findings on North Korean Cyber Threats On Nov 28, 2023, SentinelOne unveiled new details about North Korean hackers. They use RustBucket droppers for deploying the KANDYKORN macOS malware. The firm also linked ObjCShellz, another macOS malware, to RustBucket. Google’s Mandiant had earlier noted these groups sharing tactics.

    RustBucket and Lazarus Group’s Techniques The Lazarus Group, known for RustBucket, uses a fake PDF reader app, SwiftLoader. This app helps deliver next-stage Rust-based malware. When users open a lure document, it triggers the malware. This tactic shows the group’s sophisticated approach.

    KANDYKORN Campaign’s Target and Method The KANDYKORN campaign focuses on blockchain engineers. It initiates a complex attack sequence, eventually deploying a remote access trojan. This malware lives in the memory, controlling the infected system.

    Introduction of ObjCShellz SentinelOne also identified ObjCShellz in the RustBucket campaign. It acts as a remote shell, executing attacker-sent commands. This payload is a later-stage threat in the malware sequence.

    Collaboration Among North Korean Hackers Further investigations by SentinelOne revealed that Lazarus uses SwiftLoader to spread KANDYKORN. This supports the idea of North Korea’s cyber groups working together. They’ve also developed new SwiftLoader variants, such as EdoneViewer. These contact a hacker-controlled domain, likely to retrieve the KANDYKORN RAT.

    AhnLab’s Findings and the Broader Cyber Landscape AhnLab’s Security Emergency Response Center (ASEC) linked the subgroup Andariel to attacks exploiting Apache ActiveMQ flaws. They install NukeSped and TigerRAT backdoors. Mandiant’s warnings align with these findings, highlighting the DPRK’s collaborative cyber strategies. This makes tracking and stopping these threats more challenging.

    Latest articles

    Related articles