SentinelOne has recently uncovered an intriguing evolution in the tactics employed by the Lazarus Group, the infamous North Korean hackers group.
This revelation pertains specifically to the group’s orchestration of macOS malware campaigns, particularly the RustBucket and KANDYKORN strains, where elements from both disparate attack chains are being intricately combined.
RustBucket and SwiftLoader: A Glimpse into the Attack Chain
RustBucket, a campaign associated with the Lazarus Group of North Korean hackers, is characterized by the deployment of a backdoored version of a PDF reader app called SwiftLoader. This serves as a conduit for loading a subsequent-stage malware, written in Rust, upon the viewing of a meticulously crafted lure document.
On the other hand, the KANDYKORN campaign signifies a sophisticated cyber operation, targeting blockchain engineers of an unnamed cryptocurrency exchange platform through Discord. This intricate attack sequence culminates in the deployment of the eponymous full-featured memory resident remote access trojan (RAT).
ObjCShellz: A Later-Stage Payload
Adding another layer to this intricate cyber puzzle is the discovery of ObjCShellz, a macOS-specific malware identified by Jamf Threat Labs. Positioned as a later-stage payload, ObjCShellz functions as a remote shell, executing commands sent from the attacker server.
Upon closer inspection by SentinelOne, it has become evident that the Lazarus Group is leveraging SwiftLoader – a key component of the RustBucket campaign – to distribute the KANDYKORN malware. This collaboration underscores an increasing trend, as highlighted in a recent report by Mandiant, a subsidiary of Google, which emphasizes how different hacker groups within North Korea are progressively borrowing tactics and tools from one another.
As part of this evolving landscape, the Lazarus Group has deployed new variants of the SwiftLoader stager, presenting itself as an executable named EdoneViewer. However, behind this facade lies a mechanism that contacts an actor-controlled domain, likely for the retrieval of the KANDYKORN RAT. This strategic use of overlapping infrastructure and tactics exemplifies the adaptability and sophistication of North Korean threat actors.
Andariel: A Lazarus Subgroup
Simultaneously, in a parallel development, the AhnLab Security Emergency Response Center (ASEC) has implicated Andariel, a subgroup within Lazarus, in cyber attacks exploiting a security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). These attacks involve the installation of NukeSped and TigerRAT backdoors, showcasing the multifaceted nature of the Lazarus Group’s operations.
The convergence of macOS malware strains, collaboration among North Korean threat actors, and their adaptability underscore the dynamic and evolving nature of cyber threats originating from this region.
In retrospect, in 2021, as a result of launching at least seven large-scale attacks against cryptocurrency platforms, Lazarus made a profit of approximately $400 million worth of digital assets.