DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads
Contents
|
|
North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.
Our analysis of further activity in these campaigns suggests that DPRK threat actors are now ‘mixing and matching’ components from these operations, with SwiftLoader droppers being used to deliver KandyKorn payloads. In this post, we provide an extensive review of this activity and provide further indicators to help …
|
North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.
Our analysis of further activity in these campaigns suggests that DPRK threat actors are now ‘mixing and matching’ components from these operations, with SwiftLoader droppers being used to deliver KandyKorn payloads. In this post, we provide an extensive review of this activity and provide further indicators to help …
IoC
060a5d189ccf3fc32a758f1e218f814f6ce81744
09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
104.168.214.151
142.11.209.144
192.119.64.43
23.254.226.90
26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
43f987c15ae67b1183c4c442dc3b784faf2df090
46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
5c93052713f317431bf232a2894658a3a4ebfad9
62267b88fa6393bc1f1eeb778e4da6b564b7011e
79337ccda23c67f8cfd9f43a6d3cf05fd01d1588
884cebf1ad0e65f4da60c04bc31f62f796f90d79
8a8de435d71cb0b0ae6d4b15d58b7c85ce3ef8f06b24266c52b2bc49217be257
8d5d214c490eae8f61325839fcc17277e514301e
8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
9f97edbc1454ef66d6095f979502d17067215a9d
a1a8a855f64a6b530f5116a3785a693d78ec09c0
ac336c5082c2606ab8c3fb023949dfc0db2064d5
be903ded39cbc8332cefd9ebbe7a66d95e9d6522
c45f514a252632cb3851fe45bed34b175370d594
c806c7006950dea6c20d3d2800fe46d9350266b6
ce3705baf097cd95f8f696f330372dd00996d29a
d28830d87fc71091f003818ef08ff0b723b3f358
e244ff1d8e66558a443610200476f98f653b8519
e275deb68cdff336cb4175819a09dbaf0e1b68f6
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
e77270ac0ea05496dd5a2fbccba3e24eb9b863d9
http://104.168.214.151
http://142.11.209.144
http://192.119.64.43
http://23.254.226.90
http://docs-send.online/getBalance/usdt/ethereum
http://on-global.xyz
http://on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
http://swissborg.blog/zxcv/bnm
http://tp-globa.xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
https://drive.google.com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
104.168.214.151
142.11.209.144
192.119.64.43
23.254.226.90
26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
43f987c15ae67b1183c4c442dc3b784faf2df090
46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
5c93052713f317431bf232a2894658a3a4ebfad9
62267b88fa6393bc1f1eeb778e4da6b564b7011e
79337ccda23c67f8cfd9f43a6d3cf05fd01d1588
884cebf1ad0e65f4da60c04bc31f62f796f90d79
8a8de435d71cb0b0ae6d4b15d58b7c85ce3ef8f06b24266c52b2bc49217be257
8d5d214c490eae8f61325839fcc17277e514301e
8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
9f97edbc1454ef66d6095f979502d17067215a9d
a1a8a855f64a6b530f5116a3785a693d78ec09c0
ac336c5082c2606ab8c3fb023949dfc0db2064d5
be903ded39cbc8332cefd9ebbe7a66d95e9d6522
c45f514a252632cb3851fe45bed34b175370d594
c806c7006950dea6c20d3d2800fe46d9350266b6
ce3705baf097cd95f8f696f330372dd00996d29a
d28830d87fc71091f003818ef08ff0b723b3f358
e244ff1d8e66558a443610200476f98f653b8519
e275deb68cdff336cb4175819a09dbaf0e1b68f6
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
e77270ac0ea05496dd5a2fbccba3e24eb9b863d9
http://104.168.214.151
http://142.11.209.144
http://192.119.64.43
http://23.254.226.90
http://docs-send.online/getBalance/usdt/ethereum
http://on-global.xyz
http://on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
http://swissborg.blog/zxcv/bnm
http://tp-globa.xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
https://drive.google.com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2