MacOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


MacOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks


Lazarus and its cohorts are switching loaders and other code between RustBucket and KandyKorn macOS malware to fool victims and researchers.



North Korean advanced persistent threat (APT) groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of the Kim Jong Un regime.
Lazarus
and one of its spinoffs, BlueNoroff, recently debuted
KandyKorn
and
RustBucket
, respectively, two kinds of malware representing the North Korean threat groups forays into targeting macOS machines. The malware is being used to attack cryptocurrency exchanges and other financial institutions to raise money for Kims government.
Now the groups are taking
further evasive steps
by mixing loaders and other components of those malwares in various attacks aimed at throwing security researchers and victims off their trail, researchers from SentinelOne revealed
in a blog post
published Nov. 28.
As is typical with North Korean APTs — which recently demonstrated
an organization and alignment
of resources and tactics to achieve common goals — the details of the new activity are a dizzying mix of stagers, loaders, and payloads, some of which appear to be a part of entirely new campaigns.  
Once the researchers peeled back the curtains, however, they discovered that the ultimate payloads being used are ones recently uncovered — sometimes in new variant form. Its merely the attack setups and related components that vary, revealing more about how the threat operations aim to confuse both organizations under attack and those tracking the groups, they said.
Our analysis corroborates findings from other researchers that North Korean-linked threat actors tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise, SentinelOne threat researcher Phil Stokes wrote in the post.
Last month, threat researchers uncovered two new types of malware being used by North Korean APTs to target macOS in the groups typical endeavors to
steal crypto
and other funds to bankroll Kims regime.
The KandyKorn remote access Trojan (RAT), revealed
in a report by Elastic Security Labs
, was the more sophisticated of the two, with a full-featured set of capabilities to detect, access, and steal any data from the victims computer, including cryptocurrency services and applications.
RustBucket, meanwhile, used a rudimentary reverse shell called ObjCShellz to compromise new targets and was characterized as dumbed down but effective
by Jamf Threat Labs
. It also used a second-stage payload dubbed SwiftLoader, which functioned externally as a PDF Viewer for a lure document sent to targets.
The latest campaigns featuring those malwares show a mix-and-match approach to the previous attack flow, SentinelOne discovered.
In one RustBucket attack that appeared at first to be an entirely different campaign, attackers used a first stage AppleScript applet and a Swift-based application bundle called Internal PDF Viewer.app, which used specially crafted PDFs to unlock code for downloading a Rust-based payload, according to the SentinelOne blog post. This deviated from the original attack flow being used to deploy the malware in previous campaigns.
SentinelOne also has observed various RustBucket variants as well as new variations of its Swift-based stager, collectively dubbed SwiftLoader. While some of these continued to be distributed with the name “InternalPDF Viewer, as in previous campaigns, the researchers also spotted a variant called SecurePDF Viewer.
This application was signed and notarized by Apple (since revoked) by a developer with the name BBQ BAZAAR PRIVATE LIMITED (7L2UQTVP6F), Stokes wrote. The variant requires at least macOS 12.6 (Monterey) and is capable of running on both Intel and Apple silicon devices.
Meanwhile, what Jamf researchers identified as ObjCShellz in the previous RustBucket campaigns is now what SentinelOne researchers think is a later stage of the SwiftLoader SecurePDF Viewer.app, which North Korean attackers now may be using to deploy KandyKorn.
SentinelOne also identified other versions of SwiftLoader in the wild, including one distributed in a lure called Crypto-assets and their risks for financial stability[.]app[.]zip, which has some interesting overlaps with the KandyKorn operation.
This application is also signed and notarized by Apple (since revoked) by a developer with the name Northwest Tech-Con Systems Ltd (2C4CB2P247), Stokes wrote. The bundle identifier is com.EdoneViewer and the app’s main executable is EdoneViewer, a hardcoded URL that, once decoded, reaches out to a domain to drop a hidden executable, he added.
That domain, on-global.xyz, is similar to tp.globa.xyz, a URL that the KandyKorn Python script reached out for to grab next-stage malware in its previous campaigns. This domain as also was used by SugarLoader, a component used in previous KandyKorn campaigns for initial access to targeted systems, the researchers observed.
SentinelOne included a comprehensive list of indicators of compromise (IoCs) for the various types of malware and components observed in attacks by North Korean APTs to help potential victims identify if theyve been compromised.

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MacOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks