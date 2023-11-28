North Korean threat actors behind two major macOS-targeting malware strains of 2023 -- RustBucket and KandyKorn -- have been found mixing the elements of these disparate attacks to evade detection, according to a SentinelOne study.

The new technique leverages the RustBucket dropper, SwiftLoader, to deliver the KandyKorn remote access trojan (RAT) payload.

"We provide the first clues that RustBucket droppers and KandyKorn payloads are likely being shared as part of the same infection chain," SentinelOne said in a blog post on the findings. "Our analysis corroborates findings from other researchers that North Korean-linked threat actors' tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise."

SentinelOne also noted the use of a late-stage RustBucket payload ObjCShellz, another macOS-specific malware for executing simple shell commands from a remote C2.

Shared infrastructure for obfuscation

Recent studies have indicated overlaps in tools and techniques used by different North Korean hacker groups, as also corroborated by a recent Mandiant report on the current state of North Korean cybersecurity structure.

"While different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS," Mandiant said in the report.