Rewterz Threat Alert – North Korean Threat Actors Evade Detection by Combining Malware Tactics – Active IOCs

Severity

High

Analysis Summary

Threat actors linked to North Korea behind the recent distribution of macOS malware strains like KANDYKORN and RustBucket have been discovered combining various elements of the two attack chains to leverage RustBucket droppers for delivering KANDYKORN.

RustBucket is a malicious activity cluster that is linked to the Lazarus Group in which SwiftLoader, a backdoored version of a PDF reader app, is used to launch a next-stage malware that is written in Rust language. The malware is loaded after the victim opens a specially crafted document used for luring.

The KANDYKORN campaign is a cyber operation where blockchain engineers of an unnamed crypto exchange platform were targeted to start an advanced multi-stage attack chain leading to the installation of a memory-resident remote access trojan with multiple features. The threat actors utilized Discord to contact their targets.

There is also ObjCShellz as part of the whole attack sequence, a later-stage payload acting as a remote shell that is used to execute shell commands received from the C2 server controlled by the attacker.

Cybersecurity analysts show that the Lazarus group is using SwiftLoader to spread KANDYKORN, further confirming a recent report from Google stating that different advanced persistent threat (APT) groups from North Korea are borrowing tactics and tools from each other.

“Our analysis of further activity in these campaigns suggests that DPRK threat actors are now ‘mixing and matching’ components from these operations, with SwiftLoader droppers being used to deliver KandyKorn payloads,” the security researchers said.

The cybercriminals are also utilizing new variants of the SwiftLoader stager pretending to be an executable called EdoneViewer, but actually, it contacts an actor-controlled domain for possibly fetching the KANDYKORN RAT. There is a lot of overlap in infrastructure and the tactics that are used.

The disclosure comes when security experts implied that Andariel, which is a subgroup of Lazarus, launched attacks by exploiting a critical vulnerability in Apache ActiveMQ tracked as CVE-2023-46604 with a CVSS score of 10.0 to install TigerRAT and NukeSped backdoors.

Impact

• Financial Loss
• Sensitive Data Theft

Indicators of Compromise

MD5

• e45394036e56637192bcc44d02bb00d9
• 541341fc477523fed26e8b7edec1c6bb
• 447fa7141877e0f01fa191b70791dfbf
• 2df15cbc4367b5806e8a3c6abf88abdf
• b58dce1b81357a78b49546468f3adbe1
• 5d0df3f506138b4ba7c7bb1f22b3abd5
• 056b1d9ce628efe6128e17cddab3811e
• f8fdfb1d21eaebaeaa117b041d42447a
• 015c5d12273dde42fd0a17985ee9a1cd
• a4963b1b9468027d78273e86a1793c1b
• 749da6c3a50f60f3636443275118b20f
• 1c817e846021bef433701a9815f906e8
• 90385d612877e9d360196770d73d22d6
• 3b3b3b9f7c71fcd7239abe90c97751c0
• b1e01ae0006f449781a05f4704546b34
• 1fddf14984c6b57358401a4587e7b950
• d8011dcca570689d72064b156647fa82

SHA-256

• 015c4b621ae7161417b59c0ca24249a0680504107a9069128d2a8ba32ef21ada
• 51dd4efcf714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077
• d57a2e0c42c63659d6c09fc593fd5d272aec75b3629d9993b760142c731a191d
• 1d6cf7159c8dd98299798b0985f62dd15cb2e64550cd57a9e747dc3bee5f46d8
• f91801b458d875cfe61f927d16202b3a853d07e89a66ca4663989878e94242ad
• 55039ec59463982073cc129c06f1347738d06f8abf6dc86c631f8a83a5997eec
• d2d60f678d0b881b3e079b46bdb813f9f7d8802a227aea46926e4bbd1838f9e5
• c99729c39d197dd774e6febab5ec33abdf31f4404b4ffadad553efb3aa86192d
• 544891c71c30ab4d883f0548a17891aed1b33fcd6e423da8c20d1ce8a3161aff
• 6a1196f3ff2e331ae1e64ac38922ee078fdcc174ec05b71b6526ff501f19250a
• 0753859738620c7394f04220e273974982203a6ea1c2a30247149a9c8ff07037
• 2ade7f8def7eceba3e8f0e5d29d0a19626bfc595aeb1ed95b7404210569c6304
• 47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1
• c556baaac706191ce75c9263b349242caa3d8efca7b5639896fa3e6570d7c76e
• 36001b8b9e05935756fa7525dd49d91b59ea882efe5a2d23ccec35fef96138d4
• c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8
• c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe

SHA-1

• 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
• 46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
• 62267b88fa6393bc1f1eeb778e4da6b564b7011e
• 8d5d214c490eae8f61325839fcc17277e514301e
• 8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
• 9f97edbc1454ef66d6095f979502d17067215a9d
• ac336c5082c2606ab8c3fb023949dfc0db2064d5
• c45f514a252632cb3851fe45bed34b175370d594
• ce3705baf097cd95f8f696f330372dd00996d29a
• e244ff1d8e66558a443610200476f98f653b8519
• e77270ac0ea05496dd5a2fbccba3e24eb9b863d9
• e275deb68cdff336cb4175819a09dbaf0e1b68f6
• 09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
• 5c93052713f317431bf232a2894658a3a4ebfad9
• 884cebf1ad0e65f4da60c04bc31f62f796f90d79
• be903ded39cbc8332cefd9ebbe7a66d95e9d6522
• 060a5d189ccf3fc32a758f1e218f814f6ce81744

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.
• Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies
• Use multi-factor authentication: Implement multi-factor authentication for all accounts to make it more difficult for attackers to gain access to sensitive systems and data.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Ensure that all software is kept up-to-date with the latest security patches to minimize the risk of vulnerabilities being exploited.
• Monitor network traffic for unusual or suspicious activity, which may indicate an attack is underway.
• Provide regular security training to all employees to ensure they are aware of the latest threats and how to protect against them.
• Conduct regular security assessments to identify vulnerabilities and weaknesses that could be exploited by attackers.
• at your respective controls.