North Korean hackers combine malware to attack macOS

By Malcolm Owen

North Korea is becoming more of an online threat, with its hackers conducting multiple campaigns and frequently targeting macOS.

North Korea is among a number of countries best known for having hackers working on its behalf, and occasionally they cause major incidents. One example being the 2014 data breach of Sony Pictures, which was squarely blamed on North Korean-aligned hackers.

In a report released by SentinelOne on Monday, hackers associated with North Korea are still active, and in 2023, spent a lot of time and effort attacking users of macOS.

According to security researchers, RustBucket and KandyKorn were two major campaigns targeting macOS in 2023.

RustBucket used a SwiftLoader malware as a PDF viewer for a lure PDF document sent to victims. SwiftLoader used an AppleScript applet and a Swift-based application, which when used to open a specially crafted PDF, unlocked code that downloaded a Rust-based payload to the Mac.

Meanwhile, KandyKorn attacked blockchain engineers of a crypto exchange platform. By using Python scripts, the campaign took over a host's Discord app and installed a backdoor RAT (remote access trojan) onto target systems.

Crossing the streams

While these attacks were sophisticated in their own right, it appears that malware creators are blending elements of software from both campaigns.

RustBucket's SwiftLoader has been sighted in a number of variations, capable of running on both Intel and Apple Silicon hardware. In one instance, the SwiftLoader variant was packaged in a file called "Crypto-assets and their risks for financial stability.app.zip" and had multiple elements that connected it to KandyKorn.

These elements include a KandyKorn Python script "FinderTools," as well as the use of a filename ".pld" that appeared in another variant. Researchers have "medium confidence" that the .pld file used in this hybrid refers to the same one used in the KandyKorn RAT itself.

"Overlaps in infrastructure, objectives, and TTPs" are also indications that the two are being used together in some variants.

The analysis by SentinelOne "corroborates findings from other researchers that North Korean-linked threat actors' tendency to reuse shared infrastructure," the report concludes, with it being an opportunity to further understand activity and discover new indicators.

How to keep yourself safe from KandyKorn and RustBucket

While SentinelOne insists its Singularity product detects and protects against all known components of KandyKorn and RustBucket malware, Mac users can still keep themselves safe using common sense and best practices online.

This includes understanding the sources of files and applications, not opening documents found or sent to them from untrustworthy sources, and being vigilant with security updates.

With hacker interest in macOS approximately ten times that of 2019, Mac users need to be more aware than ever that they can be at risk, despite Apple's attempts to keep the operating system as secure as possible.