November 28, 2023 at 12:43PM
North Korean APT groups are using a mix of malware components from KandyKorn and RustBucket to avoid detection and continue their operations. They are targeting macOS machines to attack cryptocurrency exchanges and raise money for the Kim Jong Un regime. The groups are taking evasive steps by mixing loaders and components to confuse security researchers and victims. North Korean APTs are known for reusing infrastructure, allowing researchers to discover new indicators of compromise.
The meeting notes discuss the activities of North Korean advanced persistent threat (APT) groups targeting macOS machines. These groups, including Lazarus and BlueNoroff, have recently introduced malware named KandyKorn and RustBucket to attack cryptocurrency exchanges and raise money for the Kim Jong Un regime.
Security researchers from SentinelOne have discovered that these APT groups are now mixing and matching different components of these malware types to evade detection and confuse security researchers and victims. By using different loaders and other components, the groups create new attack setups while still using the same ultimate payloads.
The researchers have identified various variations of the malware and its components. For example, RustBucket uses a first stage AppleScript applet and a Swift-based application bundle called “Internal PDF Viewer.app” in one attack. Additionally, variations of SwiftLoader, the stager used by RustBucket, have been observed, such as “SecurePDF Viewer” and “Crypto-assets and their risks for financial stability[.]app[.]zip.”
The researchers have also provided a list of indicators of compromise (IoCs) to help potential victims identify if they have been compromised.
If you have any further questions or need more information, please let me know.