www.darkreading.com Open in urlscan Pro
2606:4700::6812:6d2f  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Reports
 * Videos
 * Webinars
 * Whitepapers
 * 

 * 
 * 
 * 
 * Partner Perspectives:
 * > Google Cloud
 * > Microsoft

SEE ALL


Sponsored By

 * Threat Intelligence
 * Vulnerabilities & Threats
 * Cyberattacks & Data Breaches


MACOS MALWARE MIX & MATCH: NORTH KOREAN APTS STIR UP FRESH ATTACKSMACOS MALWARE
MIX & MATCH: NORTH KOREAN APTS STIR UP FRESH ATTACKS

Lazarus and its cohorts are switching loaders and other code between RustBucket
and KandyKorn macOS malware to fool victims and researchers.

Elizabeth Montalbano, Contributing Writer

November 28, 2023

4 Min Read
Source: Gary Tyson via Alamy Stock Photo


North Korean advanced persistent threat (APT) groups are mixing and matching
components of two recently unleashed types of Mac-targeted malware to evade
detection and fly under the radar as they continue their efforts to conduct
operations at the behest of the Kim Jong Un regime.

Lazarus and one of its spinoffs, BlueNoroff, recently debuted KandyKorn and
RustBucket, respectively, two kinds of malware representing the North Korean
threat groups' forays into targeting macOS machines. The malware is being used
to attack cryptocurrency exchanges and other financial institutions to raise
money for Kim's government.



Now the groups are taking further evasive steps by mixing loaders and other
components of those malwares in various attacks aimed at throwing security
researchers and victims off their trail, researchers from SentinelOne revealed
in a blog post published Nov. 28.

As is typical with North Korean APTs — which recently demonstrated an
organization and alignment of resources and tactics to achieve common goals —
the details of the new activity are a dizzying mix of stagers, loaders, and
payloads, some of which appear to be a part of entirely new campaigns.  



Once the researchers peeled back the curtains, however, they discovered that the
ultimate payloads being used are ones recently uncovered — sometimes in new
variant form. It's merely the attack setups and related components that vary,
revealing more about how the threat operations aim to confuse both organizations
under attack and those tracking the groups, they said.



"Our analysis corroborates findings from other researchers that North
Korean-linked threat actors' tendency to reuse shared infrastructure affords us
the opportunity to widen our understanding of their activity and discover fresh
indicators of compromise," SentinelOne threat researcher Phil Stokes wrote in
the post.


MALWARE MELEE: APTS MIX IT UP

Last month, threat researchers uncovered two new types of malware being used by
North Korean APTs to target macOS in the groups' typical endeavors to steal
crypto and other funds to bankroll Kim's regime.

The KandyKorn remote access Trojan (RAT), revealed in a report by Elastic
Security Labs, was the more sophisticated of the two, with a full-featured set
of capabilities to detect, access, and steal any data from the victim's
computer, including cryptocurrency services and applications.



RustBucket, meanwhile, used a rudimentary reverse shell called "ObjCShellz" to
compromise new targets and was characterized as "dumbed down" but effective by
Jamf Threat Labs. It also used a second-stage payload dubbed "SwiftLoader,"
which functioned externally as a PDF Viewer for a lure document sent to targets.

The latest campaigns featuring those malwares show a mix-and-match approach to
the previous attack flow, SentinelOne discovered.

In one RustBucket attack that appeared at first "to be an entirely different
campaign," attackers used a first stage AppleScript applet and a Swift-based
application bundle called "Internal PDF Viewer.app," which used specially
crafted PDFs to unlock code for downloading a Rust-based payload, according to
the SentinelOne blog post. This deviated from the original attack flow being
used to deploy the malware in previous campaigns.


LOADER PIVOTS BETWEEN TYPES OF MALWARE

SentinelOne also has observed various RustBucket variants as well as new
variations of its Swift-based stager, collectively dubbed SwiftLoader. While
some of these continued to be distributed with the name “InternalPDF Viewer," as
in previous campaigns, the researchers also spotted a variant called "SecurePDF
Viewer."



"This application was signed and notarized by Apple (since revoked) by a
developer with the name 'BBQ BAZAAR PRIVATE LIMITED (7L2UQTVP6F),'" Stokes
wrote. The variant requires at least macOS 12.6 (Monterey) and is capable of
running on both Intel and Apple silicon devices.

Meanwhile, what Jamf researchers identified as ObjCShellz in the previous
RustBucket campaigns is now what SentinelOne researchers think is "a later stage
of the SwiftLoader SecurePDF Viewer.app," which North Korean attackers now may
be using to deploy KandyKorn.

SentinelOne also identified other versions of SwiftLoader in the wild, including
one distributed in a lure called "Crypto-assets and their risks for financial
stability[.]app[.]zip," which has "some interesting overlaps" with the KandyKorn
operation.

"This application is also signed and notarized by Apple (since revoked) by a
developer with the name 'Northwest Tech-Con Systems Ltd (2C4CB2P247),'" Stokes
wrote. The bundle identifier is com.EdoneViewer and the app’s main executable is
EdoneViewer, a hardcoded URL that, once decoded, reaches out to a domain to drop
a hidden executable, he added.

That domain, on-global.xyz, is similar to tp.globa.xyz, a URL that the KandyKorn
Python script reached out for to grab next-stage malware in its previous
campaigns. This domain as also was used by SugarLoader, a component used in
previous KandyKorn campaigns for initial access to targeted systems, the
researchers observed.

SentinelOne included a comprehensive list of indicators of compromise (IoCs) for
the various types of malware and components observed in attacks by North Korean
APTs to help potential victims identify if they've been compromised.




ABOUT THE AUTHOR(S)

Elizabeth Montalbano, Contributing Writer



Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing
mentor with more than 25 years of professional experience. Her areas of
expertise include technology, business, and culture. Elizabeth previously lived
and worked as a full-time journalist in Phoenix, San Francisco, and New York
City; she currently resides in a village on the southwest coast of Portugal. In
her free time, she enjoys surfing, hiking with her dogs, traveling, playing
music, yoga, and cooking.


See more from Elizabeth Montalbano, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe
More Insights
Webinars

 * Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around
   Your Authentication Methods
   
   Oct 26, 2023

 * Modern Supply Chain Security: Integrated, Interconnected, and Context-Driven
   
   Nov 06, 2023

 * How to Combat the Latest Cloud Security Threats
   
   Nov 06, 2023

 * Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and
   Phishing
   
   Nov 01, 2023

 * SecOps & DevSecOps in the Cloud
   
   Nov 06, 2023

More Webinars
Events

 * Cybersecurity Outlook 2024 - A Dark Reading December 14 Event
   
   Dec 14, 2023

 * Black Hat Europe - December 4-7 - Learn More
   
   Dec 04, 2023

 * Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
   
   Aug 24, 2023

More Events



EDITOR'S CHOICE

Silhouette of boats and people swimming at sunset, Phillipines
Cyberattacks & Data Breaches
Amid Military Buildup, China Deploys Mustang Panda in the PhilippinesAmid
Military Buildup, China Deploys Mustang Panda in the Philippines
byNate Nelson, Contributing Writer
Nov 20, 2023
3 Min Read

Spiders
Threat Intelligence
Scattered Spider Casino Hackers Evade Arrest in Plain SightScattered Spider
Casino Hackers Evade Arrest in Plain Sight
byBecky Bracken, Editor, Dark Reading
Nov 17, 2023
4 Min Read
Security and Exchange Commission website
Cyber Risk
Hackers Weaponize SEC Disclosure Rules Against Corporate TargetsHackers
Weaponize SEC Disclosure Rules Against Corporate Targets
byNate Nelson, Contributing Writer
Nov 17, 2023
3 Min Read

A brown fabric patch
Vulnerabilities & Threats
Citrix Bleed Bug Inflicts Mounting Wounds, CISA WarnsCitrix Bleed Bug Inflicts
Mounting Wounds, CISA Warns
byTara Seals, Managing Editor, News, Dark Reading
Nov 21, 2023
3 Min Read
Pulpit of the Seven Deadly Sins in Austria, where human heads are carved onto a
seven-headed serpent
Cybersecurity Operations
The 7 Deadly Sins of Security Awareness TrainingThe 7 Deadly Sins of Security
Awareness Training
byJoan Goodchild, Contributing Writer
Nov 21, 2023
7 Slides
Reports

 * The State of Supply Chain Threats

 * How to Deploy Zero Trust for Remote Workforce Security

 * What Ransomware Groups Look for in Enterprise Victims

 * Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware

 * Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks

More Reports
White Papers

 * 9 Traits You Need to Succeed as a Cybersecurity Leader

 * The Ultimate Guide to the CISSP

 * Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting
   Your Organization

 * The Evolving Ransomware Threat: What Business Leaders Should Know About Data
   Leakage

 * The Rise of Extended Detection & Response

More Whitepapers
Events

 * Cybersecurity Outlook 2024 - A Dark Reading December 14 Event
   
   Dec 14, 2023

 * Black Hat Europe - December 4-7 - Learn More
   
   Dec 04, 2023

 * Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
   
   Aug 24, 2023

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2023 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use

Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy

Accept All
Settings



COOKIE PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

 * 
   
   View Cookies
   
    * Name
      cookie name

Confirm My Choices