North Korean-aligned threat actors targeting macOS staged a busy 2023, with RustBucket and KandyKorn as the two major campaigns examined. The analysis shows actors mixing components across operations—using SwiftLoader droppers to pivot to KandyKorn payloads—and outlines multi-stage techniques designed to hijack processes, download additional payloads, and establish persistence. #RustBucket #KandyKorn #SwiftLoader #ObjCShellz #SecurePDFViewer #Discord
Keypoints
- North Korean-aligned actors targeted macOS in 2023 with two prominent campaigns: RustBucket (SwiftLoader) and KandyKorn (multi-stage operation).
- RustBucket first-stageed through an External PDF Viewer lure; SwiftLoader retrieved and ran a Rust-based second stage.
- KandyKorn used Discord social engineering to drop a Python app disguised as a crypto arbitrage bot, then delivered a C++ RAT named KandyKorn via multiple stages.
- Recent activity shows mixing and matching: SwiftLoader droppers pivoting to deliver KandyKorn payloads, linking the campaigns’ infrastructure.
- KandyKorn operates through five stages, involving Python dropper components, Mach-O loaders, persistence tricks, and in-memory execution of the RAT.
- Shared infrastructure connections (ObjCShellz, SecurePDF Viewer variants) and domains (tp.globa.xyz, on-global.xyz) indicate an intertwined infection chain.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – “A Discord user is socially engineered into downloading a malicious Python application, Cross-Platform Bridges.zip. Initially, links to the malware were sent to targets via direct message with the malware hosted on Google drive.”
- [T1059.006] Python – “The Python application was distributed as Cross-Platform Bridges.zip and contained multiple benign Python scripts.”
- [T1105] Ingress Tool Transfer – “FinderTools downloads and executes a Mach-O binary, dubbed SUGARLOADER, at /Users/Shared/.sld.”
- [T1055] Process Injection – “SUGARLOADER retrieves a C2 URL from the configuration file… and downloads and executes the KANDYKORN remote access trojan in-memory via NSCreateObjectFileImageFromMemory and NSLinkModule.”
- [T1547.001] Boot or Logon Autostart: Login Items – “a persistence mechanism that will not be detected by Apple’s monitoring of background login items.”
- [T1036] Masquerading – “the genuine Discord executable is renamed as .lock in the same directory.”
Indicators of Compromise
- [SHA1 Hashes] context – 62267b88fa6393bc1f1eeb778e4da6b564b7011e, 8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18, and 9 more hashes
- [Domains] context – tp.globa.xyz, on-global.xyz, and 2 more domains (docs-send.online, swissborg.blog)
- [IPs] context – 23.254.226.90, 104.168.214.151, and 2 more IPs
- [File Paths] context – /Users/Shared/.pld, /Users/Shared/.pw, and 2 more
- [File Names] context – Cross-Platform Bridges.zip, SUGARLOADER, and 3 more