RustBucket and KandyKorn

RustBucket and KandyKorn: North Korean-Linked Malware Threats

North Korean threats behind two significant malicious software targeting macOS in 2023 have been discovered – RustBucket and KandyKorn.

RustBucket and KandyKorn

These software, employed advanced techniques to evade detection, according to research by SentinelOne.

The new technique uses the RustBucket droppers, also known as SwiftLoader, to deliver the malicious payload of KandyKorn, a modified Remote Access Trojan (RAT). Initial signs suggest that RustBucket droppers and KandyKorn payloads may belong to the same infection chain, as reported by SentinelOne in a blog post. Our analysis confirms the findings of other researchers, strengthening the trend of threat actors associated with North Korea utilizing common infrastructure. This allows us to deepen our understanding of their activities and detect new compromise indicators.

Additionally, SentinelOne highlights the use of the advanced RustBucket payload, also known as ObjCSshellz, specifically designed for macOS, for remote command and control execution. Recent research has revealed overlaps in the tools and techniques used by various hacking groups in North Korea, confirming the findings of a recent report by Mandiant on cybersecurity in the country.

As cybersecurity professionals continue to analyze and respond to these emerging threats, staying informed about the evolving tactics and techniques employed by North Korean threat actors remains crucial for safeguarding digital infrastructure and sensitive information.