The Dual Threat of KandyKorn and RustBucket Campaigns by North Korean Hackers

An examination of campaigns conducted by threat actors aligned with the Democratic People's Republic of Korea (DPRK) discovered two prominent campaigns during 2023: RustBucket and KandyKorn. Researchers from SentinelOne expand upon analysis conducted by Elastic Security Labs and JAMF Threat Labs, reviewing attacks aimed to compromise entities in financial services and blockchain engineers with malware targeting macOS. The RustBucket campaign was initiated with a second-stage malware named 'SwiftLoader,' masquerading as a PDF Viewer to lure targets. On the other hand, the KandyKorn campaign features a multi-stage operation, specifically targeting blockchain engineers of a crypto exchange platform. Employing Python scripts, the threat actors infiltrated systems by distributing malware through a Discord app, ultimately delivering a backdoor RAT named 'KandyKorn' written in C++. SentinelOne's analysis suggests that these threat actors are now interweaving components from both campaigns, "with SwiftLoader droppers being used to deliver KandyKorn payloads."

An outline of the KandyKorn operation describes a five-stage attack that unfolds with a Discord user being lured through social engineering to download a malicious Python application, distributed through Google Drive links. This Python application was "disguised as a cryptocurrency arbitrage bot, a popular tool among crypto traders," SentinelOne explains. Following the deployment of Python scripts, the attack culminates in the execution of the KANDYKORN remote access trojan. The attackers leverage Discord and macOS-specific techniques to achieve stealth and persistence. The malware, orchestrated by North Korean threat actors, employs various tactics, including C2 communication, Mach-O payloads, and DLL sideloading.

In a distinct but interconnected and evolving RustBucket campaign, initially reported by JAMF Threat Labs, North Korean threat actors had employed an AppleScript applet and a Swift-based application bundle called 'Internal PDF Viewer.app.' This campaign is observed to have featured various RustBucket variants and SwiftLoader stagers, including a notable variant named SecurePDF Viewer.app, "signed and notarized by Apple," although it has since been revoked. SwiftLoader, an integral component, connects to the KandyKorn remote access trojan (RAT). Overlaps identified between SwiftLoader and KandyKorn are the similar domains the malware uses to download their payloads and drop files in the same directories albeit with different file extensions. A significant finding is the presence of a variant of KANDYKORN RAT with the filename .pld, with overlaps in infrastructure, objectives, and tactics, affirming a likely connection between SwiftLoader, RustBucket, and the KandyKorn campaign, although SentinelOne only assesses a medium confidence between the connection.