Cybersecurity revelations indicate that the notorious Lazarus Group, the North Korean threat actors responsible for macOS malware like RustBucket and KANDYKORN, is orchestrating a complex fusion of these disparate attack chains.
Recent insights from SentinelOne shed light on the group's sophisticated approach, incorporating RustBucket droppers to deploy the KANDYKORN malware.
RustBucket's SwiftLoader Connection
Cybersecurity researchers have discovered that the latest macOS malware strains are connected to the RustBucket campaign which is under operation by a group of North Korean hackers.
The RustBucket campaign, associated with the Lazarus Group, revolves around a backdoored PDF reader app named SwiftLoader. Acting as a conduit, SwiftLoader loads a subsequent Rust-based malware when users access a specially crafted lure document. This establishes the foundation for the group's covert operations.
Related Article: Microsoft Says North Korean Hackers Compromised CyberLink to Distribute Trojanized Installer File
KANDYKORN's Multi-Stage Assault
In contrast, the KANDYKORN campaign showcases a targeted cyber operation where Discord became the vector for a multi-stage assault on blockchain engineers from an undisclosed crypto exchange platform.
The campaign culminates in the deployment of the sophisticated KANDYKORN remote access trojan, a memory-resident threat with extensive capabilities.
ObjCShellz Unveiled as the Third Piece
Adding complexity to the equation, SentinelOne links ObjCShellz to the RustBucket campaign, per The Hacker News.
Identified as a later-stage payload, ObjCShellz operates as a remote shell, executing commands sent from the attacker server. This revelation points out the intricacies of Lazarus Group's tactics, showcasing a well-orchestrated sequence of malware deployments.
SwiftLoader's Role in KANDYKORN Distribution
A deeper dive into SentinelOne's analysis exposes the Lazarus Group's utilization of SwiftLoader to disseminate KANDYKORN. This aligns with recent reports from Mandiant, revealing a growing trend among North Korean hacker groups borrowing tactics and tools from each other.
The Lazarus Group employs new variants of the SwiftLoader stager, presenting itself as an executable named EdoneViewer. However, its true function involves connecting to an actor-controlled domain, likely fetching the KANDYKORN RAT.
Coinciding with these revelations, the AhnLab Security Emergency Response Center (ASEC) implicates Andariel, a Lazarus subgroup, in cyber attacks exploiting an Apache ActiveMQ security flaw (CVE-2023-46604, CVSS score: 10.0). The attacks involve the installation of NukeSped and TigerRAT backdoors, showcasing the multifaceted nature of Lazarus Group's cyber operations.
Lazarus Group's adaptability and intricate tactics highlights the challenges faced by defenders in safeguarding against sophisticated threats.
Back in July, another group of North Korean hackers have infiltrated crypto firms. The target of the notorious gang of cybercriminals were high-profile organizations.
Dubbed "Labyrinth Chollima," the threat actors are experts in attacking government agencies, media firms, and even the big financial institutions.
Security researchers said that the state-sponsored hackers had previously engaged in stealing over $1.3 billion from banks and crypto exchanges globally.
It was said that the money that they got from their victims was used to buy new nuclear weapons for North Korea.
For more reports about cybersecurity, malware, security flaws, and the like, always visit Tech Times to stay updated.
Read Also: British Library Ransomware Attack: Stolen Personal Data up for Online Bid-Who Is to Blame?
