North Korean threat actors behind two major macOS-targeting malware strains of 2023 — RustBucket and KandyKorn — have been found mixing the elements of these disparate attacks to evade detection, according to a SentinelOne study.
The new technique leverages the RustBucket dropper, SwiftLoader, to deliver the KandyKorn remote access trojan (RAT) payload.
“We provide the first clues that RustBucket droppers and KandyKorn payloads are likely being shared as part of the same infection chain,” SentinelOne said in a blog post on the findings. “Our analysis corroborates findings from other researchers that North Korean-linked threat actors’ tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise.”
SentinelOne also noted the use of a late-stage RustBucket payload ObjCShellz, another macOS-specific malware for executing simple shell commands from a remote C2.
Shared infrastructure for obfuscation
Recent studies have indicated overlaps in tools and techniques used by different North Korean hacker groups, as also corroborated by a recent Mandiant report on the current state of North Korean cybersecurity structure.
“While different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS,” Mandiant said in the report.
The obfuscation technique observed by SentinelOne is in line with this, having combined the dropper module of RustBucket, an activity cluster linked to the Lazarus Group first observed in May, to deliver the KandyKorn RAT payload, first reported by Elastic Security Labs earlier this month.
The RustBucket campaign uses a backdoored PDF viewer, SwiftLoader, to read a lure document sent to users. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in the Rust language.
KandyKorn, on the other hand, is a multiphase campaign aimed at blockchain engineers working on a cryptocurrency exchange platform. The miscreants employed Python scripts to deploy malware, seizing control of the host’s Discord application, and then introducing a backdoor RAT coded in C++, referred to as “KandyKorn.”
The shared infrastructure allows the attackers to use SwiftLoader for installing HLoader, a payload targeted at Discord application that enables persistence through frequent launches of the application, thereby evading detection. Additionally, SentinelOne found traces of ObjCShellz as a later-stage payload written in Objective-C to maintain persistent remote access.