According to a Sentinel One study, North Korean threat actors behind two major Mac OS-targeting malware strains of 2023—Rustbucket and Kandykorn—mixed the elements of these different attacks to avoid detection.
The new technique leverages Rustbucket’s dropper, Swiftloader, to deliver Kandykorn’s remote access trojan (RAT) payload.
“We provide the first clues that RustBucket droppers and KandyKorn payloads are likely shared as part of the same infection chain,” Sentinel One writes in a blog posts for results.
“Our analysis confirms the findings of other researchers that the tendency of North Korean threat actors to reuse shared infrastructure allows us to broaden our understanding of their operations and discover new indicators of intrusion.”
Sentinel One also noted the use of a later Rustbucket payload, ObjCShellz, which is another Mac OS-specific malware to execute simple shell commands from a remote C2.
Recent studies have shown overlaps in tools and techniques used by various North Korean hacking groups, which is also confirmed by a new Mandant-report on the current state of the North Korean cyber security structure.
“While different threat groups share tools and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and Mac OS,” Mandiant said in the report.
2023-11-29 06:14:00
#North #Korean #hackers #combine #code #Mac #attacks
