N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection

N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

November 28, 2023 at 12:06AM

The Lazarus Group, a North Korean threat actor, has been observed combining elements from two separate macOS malware strains, RustBucket and KANDYKORN. They are using RustBucket droppers to deliver the KANDYKORN malware. Another macOS-specific malware called ObjCShellz has also been linked to the RustBucket campaign by cybersecurity firm SentinelOne. This highlights the evolving and collaborative nature of North Korean hacker groups, making it challenging for defenders to track and thwart their malicious activities. Additionally, Andariel, a subgroup within Lazarus, has been implicated in cyber attacks exploiting a security flaw in Apache ActiveMQ.

Key Takeaways from Meeting Notes:

1. North Korean threat actors are combining elements from their RustBucket and KANDYKORN attack chains, using RustBucket droppers to deliver KANDYKORN malware.
2. The Lazarus Group is associated with the RustBucket activity cluster, wherein a backdoored version of a PDF reader app called SwiftLoader is used to load a next-stage Rust-based malware.
3. The KANDYKORN campaign involves targeting blockchain engineers of a crypto exchange platform via Discord, leading to the deployment of a memory resident remote access trojan.
4. ObjCShellz is a later-stage payload acting as a remote shell, executing shell commands sent from the attacker’s server.
5. SentinelOne’s analysis confirms that the Lazarus Group is using SwiftLoader to distribute KANDYKORN.
6. North Korean hacker groups are increasingly borrowing tactics and tools from each other, making it challenging for defenders to track and attribute their activities.
7. New variants of the SwiftLoader stager, named EdoneViewer, are being used to retrieve the KANDYKORN RAT from actor-controlled domains.
8. Andariel, a subgroup within Lazarus, has been implicated in cyber attacks exploiting a security flaw in Apache ActiveMQ to install NukeSped and TigerRAT backdoors.
9. The AhnLab Security Emergency Response Center disclosed these cyber attacks exploiting the Apache ActiveMQ vulnerability.

If you need further information or assistance, please let me know.

Full Article