macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks

North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of the Kim Jong Un regime. Lazarus and one of its spinoffs, BlueNoroff, recently debuted KandyKorn and RustBucket, respectively, two kinds of malware representing the North Korean threat groups' forays into targeting macOS machines. The malware is being used to attack cryptocurrency exchanges and other financial institutions to raise money for Kim's government. Now the groups are taking further evasive steps by mixing loaders and other components of those malwares in various attacks aimed at throwing security researchers and victims off their trail, researchers from SentinelOne revealed in a blog post published Nov. 28. As is typical with North Korean APTs - which recently demonstrated an organization and alignment of resources and tactics to achieve common goals - the details of the new activity are a dizzying mix of stagers, loaders, and payloads, some of which appear to be a part of entirely new campaigns. Once the researchers peeled back the curtains they discovered that the ultimate payloads being used are ones recently uncovered - sometimes in new variant form. It's merely the attack setups and related components that vary, revealing more about how the threat operations aim to confuse both organizations under attack and those tracking the groups, they said. "Our analysis corroborates findings from other researchers that North Korean-linked threat actors' tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise," SentinelOne threat researcher Phil Stokes wrote in the post. Malware Melee: APTs Mix It Up Last month, threat researchers uncovered two new types of malware being used by North Korean APTs to target macOS in the groups' typical endeavors to steal crypto and other funds to bankroll Kim's regime. The KandyKorn remote access Trojan, revealed in a report by Elastic Security Labs, was the more sophisticated of the two, with a full-featured set of capabilities to detect, access, and steal any data from the victim's computer, including cryptocurrency services and applications. RustBucket used a rudimentary reverse shell called "ObjCShellz" to compromise new targets and was characterized as "Dumbed down" but effective by Jamf Threat Labs. It also used a second-stage payload dubbed "SwiftLoader," which functioned externally as a PDF Viewer for a lure document sent to targets. The latest campaigns featuring those malwares show a mix-and-match approach to the previous attack flow, SentinelOne discovered. In one RustBucket attack that appeared at first "To be an entirely different campaign," attackers used a first stage AppleScript applet and a Swift-based application bundle called "Internal PDF Viewer.app," which used specially crafted PDFs to unlock code for downloading a Rust-based payload, according to the SentinelOne blog post. This deviated from the original attack flow being used to deploy the malware in previous campaigns. Loader Pivots Between Types of Malware SentinelOne also has observed various RustBucket variants as well as new variations of its Swift-based stager, collectively dubbed SwiftLoader. While some of these continued to be distributed with the name "InternalPDF Viewer," as in previous campaigns, the researchers also spotted a variant called "SecurePDF Viewer." "This application was signed and notarized by Apple by a developer with the name 'BBQ BAZAAR PRIVATE LIMITED,'" Stokes wrote. The variant requires at least macOS 12.6 and is capable of running on both Intel and Apple silicon devices. What Jamf researchers identified as ObjCShellz in the previous RustBucket campaigns is now what SentinelOne researchers think is "a later stage of the SwiftLoader SecurePDF Viewer.app," which North Korean attackers now may be using to deploy KandyKorn. SentinelOne also identified other versions of SwiftLoader in the wild, including one distributed in a lure called "Crypto-assets and their risks for financial stability[.]app[.]zip," which has "Some interesting overlaps" with the KandyKorn operation. "This application is also signed and notarized by Apple by a developer with the name 'Northwest Tech-Con Systems Ltd,'" Stokes wrote. EdoneViewer and the app's main executable is EdoneViewer, a hardcoded URL that, once decoded, reaches out to a domain to drop a hidden executable, he added. Xyz, a URL that the KandyKorn Python script reached out for to grab next-stage malware in its previous campaigns. This domain as also was used by SugarLoader, a component used in previous KandyKorn campaigns for initial access to targeted systems, the researchers observed. SentinelOne included a comprehensive list of indicators of compromise for the various types of malware and components observed in attacks by North Korean APTs to help potential victims identify if they've been compromised.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks

macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
10 months ago Darkreading.com
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
4 months ago Microsoft.com
North Korea's state hackers stole $3 billion in crypto since 2017 - North Korean-backed state hackers have stolen an estimated $3 billion in a long string of hacks targeting the cryptocurrency industry over the last six years since January 2017. Kimsuky, Lazarus Group, Andariel, and other North Korean hacking groups ...
10 months ago Bleepingcomputer.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
1 year ago Therecord.media
North Korean Hackers Utilizing Credential Stuffing to Launch Cyberattacks - In an alarming new report, researchers found that North Korean-linked hackers have been using stolen passwords during cyberattacks to gain access to various government, military and financial networks. According to security experts, the creative ...
1 year ago Thehackernews.com
US govt sanctions North Korea's Kimsuky hacking group - The Treasury Department's Office of Foreign Assets Control has sanctioned the North Korean-backed Kimsuky hacking group for stealing intelligence in support of the country's strategic goals. OFAC has also sanctioned eight North Korean agents for ...
10 months ago Bleepingcomputer.com
State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage - State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus ...
1 year ago Csoonline.com
Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms - The US government has announced charges, seizures, arrests and rewards as part of an effort to disrupt a scheme in which North Korean IT workers infiltrated hundreds of companies and earned millions of dollars for North Korea. According to the ...
4 months ago Securityweek.com
US seizes Sinbad crypto mixer used by North Korean Lazarus hackers - The U.S. Department of the Treasury has sanctioned the Sinbad cryptocurrency mixing service for its use as a money-laundering tool by the North Korean Lazarus hacking group. A cryptocurrency mixer is a server that allows people to deposit crypto, ...
10 months ago Bleepingcomputer.com
FBI Charges North Korean Hackers Over $100 Million Stolen in Crypto Hack - The FBI has recently charged a North Korean hacker in connection with the Harmony crypto hack from which the hacker allegedly stole over $100 million. The hacker, Jon Chang Hyok, is a member of the North Korean military intelligence agency, the ...
1 year ago Bleepingcomputer.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
10 months ago Bleepingcomputer.com
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
9 months ago Packetstormsecurity.com
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
9 months ago Securityweek.com
North Korean Hackers Attacked Indian Medical and Energy Companies - The North Korean military's notorious hacking arm, known as the Lazarus Group, has been accused of targeting public and private sector research organizations, an Indian medical research company, and other businesses in the energy sector. Security ...
1 year ago Therecord.media
Microsoft links North Korean hackers to new FakePenny ransomware - Microsoft has linked a North Korean hacking group it tracks as Moonstone Sleet to FakePenny ransomware attacks, which have led to millions of dollars in ransom demands. While this threat group's tactics, techniques, and procedures largely overlapped ...
4 months ago Bleepingcomputer.com
Unmasking Moonstone Sleet: A Deep Dive into North Korea's Latest Cyber Threat - Moonstone Sleet: A New North Korean Threat Actor Microsoft discovered a new North Korean threat actor, Moonstone Sleet, who targets companies with a combination of tried-and-true techniques used by other North Korean threat actors as well as unique ...
4 months ago Cysecurity.news
Microsoft: BlueNoroff hackers plan new crypto-theft attacks - Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn. This financially motivated threat group also has a documented history of cryptocurrency ...
10 months ago Bleepingcomputer.com
Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
3 months ago Pandasecurity.com
Microsoft: Lazarus hackers breach CyberLink in supply chain attack - Microsoft says a North Korean hacking group has breached Taiwanese multimedia software company CyberLink and trojanized one of its installers to push malware in a supply chain attack targeting potential victims worldwide. According to Microsoft ...
10 months ago Bleepingcomputer.com
Experts from the United Nations Report North Korean Hackers Have Taken a Large Amount of Digital Assets - Last year, North Korean hackers working for the government stole a record-breaking amount of virtual assets estimated to be worth between $630 million and more than $1 billion, according to a new report from U.N. experts. The panel of experts said ...
1 year ago Securityweek.com
The past year was the most detrimental for digital currency security breaches, with North Korean organizations profiting. - In 2022, cyberattacks on cryptocurrency platforms resulted in the theft of almost $4 billion, with a large portion of the activity being attributed to hackers working on behalf of the North Korean government. According to blockchain research firm ...
1 year ago Therecord.media
North Korean Hackers Stole $600m in Crypto in 2023 - North Korean hackers stole at least $600m in cryptocurrency in 2023, around a third of the total value of such heists, according to blockchain intelligence firm TRM. Despite the eye-watering sum, this figure represents a 30% reduction on ...
9 months ago Infosecurity-magazine.com
February 2024's Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign - Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to ...
6 months ago Blog.checkpoint.com
New 'SpectralBlur' macOS Backdoor Linked to North Korea - Security researchers have dived into the inner workings of SpectralBlur, a new macOS backdoor that appears linked to the recently identified North Korean malware family KandyKorn. The observed SpectralBlur sample was initially uploaded to VirusTotal ...
9 months ago Securityweek.com
North Korean hackers linked to defense sector supply-chain attack - In an advisory today Germany's federal intelligence agency and South Korea's National Intelligence Service warn of an ongoing cyber-espionage operation targeting the global defense sector on behalf of the North Korean government. The attacks aim to ...
7 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)