N. Korean Threat Groups Mixing Tactics to Evade Detection
Researchers with Google-owned Mandiant last month wrote about increasing collaboration among North Korea-supported threat groups as one indication of a larger evolution of the regime’s offensive cyber program.
The half-dozen or so state-sponsored cyberthreat groups associated with North Korea have become more adaptable and flexible since the COVID-19 pandemic, expanding their targets and campaigns and tailoring their malware to particular platforms.
“The level of shared targeting and tooling leads Mandiant to believe that shifts are continuing to occur throughout all parts of the DPRK’s [Democratic People’s Republic of Korea] cyber apparatus,” Mandiant wrote in its report. “Overlaps in targeting and shared tooling muddles attribution attempts for investigators while streamlining adversarial activities.”
Cybersecurity vendor SentinelOne has found instances of North Korean threat actors “mixing and matching” components from two separate cyber campaigns targeting macOS users to better evade detection, giving more credence to Mandiant’s findings in October and bringing more clarity to the operations of these North Korean groups.
Reusing Infrastructure
“Our analysis corroborates findings from other researchers that North Korean-linked threat actors’ tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise,” SentinelOne Researcher Phil Stokes wrote in a report this week.
The state-sponsored groups from North Korea are aligned with various departments within the government and, like the country itself, can be challenging to fully discern. North Korean leaders use these groups primarily to steal information or money to help fund the country’s ballistic and nuclear weapons programs.
As Mandiant’s report notes, the North Korean threat landscape always fluid in its nature, though the regime had to ramp up modifications in 2020 as the pandemic swept around the world and hardened borders.
RustBucket and KandyKorn Overlap
SentinelOne’s report involves malware strains aimed at macOS users. RustBucket campaigns are attributed to the high-profile Lazarus Group that typically uses SwiftLoader, a malicious version of a PDF reader that’s used as a lure to entice users. When they view the lure document, SwiftLoader delivers malware written in the Rust programming language.
In the more elaborate KandyKorn campaign, bad actors targeted blockchain engineers of an unnamed crypto exchange platform. In the multiple-stage attack, Python scripts dropped malware that hijacked the targets Discord app and delivered a backdoor remote access trojan (RAT) called KandyKorn written in C++.
KandyKorn was first detected by threat researchers at Elastic who wrote that North Korean-sponsored groups continue to “target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions.”
With KandyKorn, “they targeted blockchain engineers active on a public chat server with a lure designed to speak to their skills and interested, with the underlying promise of financial gain,” Elastic researchers wrote.
Enter ObjCShellz
SentinelOne’s Stokes wrote that recent campaign show that hackers are now using the SwiftLoader droppers from the RustBucket operations to deliver KandyKorn payloads. In its research, SentinelOne also found another macOS malware – ObjCShellz, first outlined earlier this month by Jamf Threat Labs – being added to RustBucket incidents.
ObjCShellz, written in Objective-C, is used to maintain persistent remote access.
The RustBucket campaign was first detected in April by Jamf researchers Labs, who attributed it to a state-sponsored advanced persistent threat (APT) group called BlueNoroff, which is a subset of Lazarus. At the time, this was seen using SwiftLoader to deliver a Rust-based payload. Jamf also attributed ObjCShellz to BlueNorff.
“A number of RustBucket variants have since been sighted,” Stokes wrote. “Additionally, several variations of the Swift-based stager, collectively dubbed SwiftLoader, have come to light over the last few months.”
SentinelOne has found overlaps between one version of SwiftLoader and KandyKorn, including in infrastructure and tactics.
