According to research carried out by experts at SentinelOnea practice that is as bizarre as it is effective is spreading among North Korean hackers.
Specifically, it appears that malicious code from two malware strains has recently been active in the environment macOSthat is to say RustBucket e KandyKorn, were mixed together, creating a sort of hybrid between the two malevolent agents. The purpose of this operation, apparently, is to make attacks even more unpredictable and difficult to detect.
Specifically, the revealed campaign exploits SwiftLoaderRustBucket’s typical dropper, combining it with the payload of the RAT KandyKorn.
This singular modus operandi, however, does not entirely surprise the experts. The North Korean groups, in fact, seem to move under government directives. This means that the various groups are provided common direction and, it seems, often find themselves collaborating with each other.
RustBucket and KandyKorn: two malware “fused” together to avoid detection
The RustBucket campaign uses a backdoor which it passes itself off as PDF reader, i.e. SwiftLoader. While victims read documents, SwiftLoader retrieves and executes additional malware written in the language Rust.
KandyKorn, on the other hand, is a multi-phase campaign that targets engineers working on blockchain who work on exchange platforms cryptocurrencies. Cybercriminals, in this case, use script Python to distribute malware, take control of the app Discord of the host and then introduce a RAT backdoor coded in C++called KandyKorn.
The shared infrastructure allows attackers to use SwiftLoader to install HLoadera payload built for interaction with Discord that allows persistence through frequent app launches thus evading detection.
Certainly, the hacker movement coming from the Asian country represents an enormous threat on a global level, counting on some of the most well-known and feared cybercriminal gangs.