North Korea-associated threat actors have been observed using a new tactic, which involves combining elements of software used in previous malware campaigns, according to new findings from researchers at SentinelOne.
In the new campaign, the hackers behind macOS malware strains such as RustBucket and KandyKorn have been “mixing and matching” elements of these separate attacks to deliver the KandyKorn remote access trojan (RAT) payload using SwiftLoader, a dropper observed in the RustBucket campaign.
The initial Rustbucket campaign leveraged a second-stage malware, SwiftLoader, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust.
The KandyKorn campaign was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.
RustBucket's SwiftLoader has been seen in a number of variations, capable of running on both Intel and Apple Silicon hardware. In one case, the SwiftLoader variant was packaged in a file called "Crypto-assets and their risks for financial stability.app.zip" and had multiple elements that connected it to KandyKorn.
The most recent campaign also leveraged a late-stage RustBucket payload called ‘ObjCShellz’, another tool for executing simple shell commands from a remote command-and-control server (C2).
“We provide the first clues that RustBucket droppers and KandyKorn payloads are likely being shared as part of the same infection chain,” SentinelOne said in a blog post. “Our analysis corroborates findings from other researchers that North Korean-linked threat actors' tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise.”
