N. Korean Hackers ‘Mixed’ macOS Malware Tactics to Avoid Detection

Nov 28, 2023NewsroomMalware / Cyber​​​​ Espionage

macOS Malware

The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed to “mix and match” different elements of two different attack chains, using RustBucket droppers to to deliver KANDYKORN.

the findings from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign.

RustBucket refers to a cluster of activity linked to the Lazarus Group in which a backdoored version of a PDF reader app, called SwiftLoader, is used as a loading channel for the next stage of malware written in Rust to view -view a specially created persuasive document.


The KANDYKORN campaign, on the other hand, refers to a malicious cyber operation in which the blockchain engineers of an unnamed crypto exchange platform were targeted via Discord to initiate a sophisticated series of multi-stage attack that led to the deployment of the eponymous fully segmented memory. resident remote access trojan.

The third piece of the attack puzzle is ObjCShellz, which Jamf Threat Labs revealed earlier this month as a late-stage payload that acts as a remote shell that executes shell commands sent from server attacker.

macOS Malware

Further analysis of these campaigns by SentinelOne now shows that the Lazarus Group is using SwiftLoader to distribute KANDYKORN, confirming a recent report from Google-owned Mandiant about how the various hacker groups from North Korea are increasingly borrowing each other’s tactics and tools.

“The DPRK’s cyber landscape has evolved into a streamlined organization with shared tooling and targeting efforts,” Mandiant said. “This flexible tasking approach makes it harder for defenders to track, identify, and prevent malicious activities, while allowing this now-collaborative adversary to operate covertly with greater agility and flexibility. “


This includes the use of new variants of the SwiftLoader stager that pretend to be an executable named EdoneViewer but, in fact, contact an actor-controlled domain to potentially capture the KANDYKORN RAT based on infrastructure overlaps and tactics used.

The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) INVOLVED Andariel – a subgroup within Lazarus – in cyber attacks exploiting a security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) to install NukeSped and TigerRAT backdoors .

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment