N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Steal Data

North Korean hacking groups are joining teams to steal data from macOS devices. After observing recent attacks, the security experts have noticed that two different malware threat actors RustBucket and KANDYKORN from North Korea are mix matching their malicious resources to bypass the security measures in targeted Mac.

RustBucket and KANDYKORN

N. Korean Hackers Mixing Tactics RustBucket and KANDYKORN 

SentinelOne published its report disclosing that KANDYKORN is being spread by using RustBucket droppers. Furthermore, the report even tied another malware named ObjCShellz to RustBucket. As of now, Lazarus Group seems to be responsible for these modular approach attacks.

RustBucket is a mac malware campaign that targets cryptocurrency platforms using a backdoor version of SwiftLoader (PDF Reader) to deliver malware. On the other hand, The KANDYKORN is a cyber attack blockchain that deploys a notorious RAT called KandyKorn via Discord.

RustBucket and KANDYKORN

How RustBucket and KANDYKORN Work Together?

Now, the attackers are using RustBucket backdoor in order to deliver The KANDYKORN rat KandyKorn. Additionally, ObjCShellz is used to provide hackers with remote access as a later-stage payload. The attack is meticulously crafted to steal confidential information from targeted macOS machines.

Mixing RustBucket and KANDYKORN makes it harder for security experts, to recognize or fix the flaw. Furthermore, using two different malware campaigns together also makes it harder for antimalware or another security measure in the system to block the attack.

About The Attacks

By sharing resources and targeting common goals, DPRK cyber landscape has become quite organized and more efficient. Mandiant reported that the versatility of the attack along with its speed makes it challenging for security experts to identify or stop the attack.

Further research showed that hackers are using using SwiftLoader stager. Although, it looks like an EdoneViewer executable. However, in fact it is used to contact an actor-controlled domain. It retrieves the KANDYKORN RAT for the hackers, allowing them to steal data from Mac.

About the author


Leave a Comment