Tuesday, November 12, 2024
HomeCyber Security NewsNorth Korean Hackers Attacking macOS Using Weaponized Documents

North Korean Hackers Attacking macOS Using Weaponized Documents

Published on

Malware protection

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution of malicious code.

All these documents contain malicious code or macros, often disguised as familiar files, which help hackers gain unauthorized access and deliver malware to their targets.

Recently, the cybersecurity researchers at SentinelOne reported that North Korean hackers are actively attacking the macOS using weaponized documents.

- Advertisement - SIEM as a Service
Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Hackers Attacking macOS

North Korean threat actors focused on macOS in 2023 with two major campaigns, and here below, we have mentioned those major campaigns:-

  • RustBucket
  • KandyKorn

RustBucket employed ‘SwiftLoader,’ disguising itself as a PDF Viewer, to deliver a Rust-written second-stage malware. 

While in the KandyKorn campaign, Python scripts targeted blockchain engineers, delivering a C++ backdoor RAT named ‘KandyKorn’ after hijacking the Discord app on hosts.

A five-stage attack targeted users through Discord, using social engineering to trick them into downloading a malicious Python app.

This Python app is disguised as a crypto arbitrage bot that is distributed as Cross-Platform “Bridges.zip,” and the app contains several harmless Python scripts.

Bridges.zip contents (Source - SentinelOne)
Bridges.zip contents (Source – SentinelOne)

Here below, we have mentioned all the stages:-

  • Stage 0: In this stage, the Discord user is tricked into downloading a malicious Python app, Cross-Platform Bridges.zip. Then, the malware links are sent via direct message and hosted on Google Drive. Then, as a module, the app’s Main.py script imports Watcher.py.
  • Stage 1: In this stage, Watcher.py verifies the Python version and runs testSpeed.py, which downloads and executes FinderTools. After execution, testSpeed.py is removed, and then the “FinderTools” is saved at /Users/Shared/FinderTools.
  • Stage 2: In this stage, the FinderTools runs SUGARLOADER from /Users/Shared/.sld, copying it as .log and appname in /Applications/Discord.app/Contents/MacOS/. SUGARLOADER, coded in C++, looks for a config file at /Library/Caches/com.apple.safari.ck, downloading from C2 if absent. After that, the FinderTools links C2 tp.globa.xyz in the intrusion observed by the cybersecurity researchers.
  • Stage 3: In this stage, the SUGARLOADER downloads HLOADER, replaces genuine Discord, and sets up a stealthy persistence mechanism in /Applications/Discord.app/Contents/MacOS/Discord. HLOADER cleverly disguises itself as MacOS.tmp, ensuring continuous undetected execution alongside Discord. Apple’s login item monitoring remains unaware to this smart renaming/reloading strategy, enhancing persistence.
  • Stage 4: In this stage, from the com.apple.safari.ck the SUGARLOADER grabs the C2 URL to fetch and run the KANDYKORN via NSCreateObjectFileImageFromMemory and NSLinkModule. It’s a North Korean macOS malware technique seen in UnionCryptoTrader (2019). 

North Korean threat actors have an evolving campaign named RustBucket, using the Swift-based app SecurePDF Viewer.app. It’s signed by “BBQ BAZAAR PRIVATE LIMITED” and reaches out to docs-send.online. 

Another variant, Crypto-assets app.zip, signed by “Northwest Tech-Con Systems Ltd,” connects to on-global.xyz, dropping an executable at /Users/Shared/.pw. 

This .pw file, associated with KandyKorn, references /Users/Shared/.pld, matching KandyKorn RAT, indicating shared infrastructure, objectives, and TTPs.

IOCs

SUGARLOADER

  • d28830d87fc71091f003818ef08ff0b723b3f358

HLOADER

  • 43f987c15ae67b1183c4c442dc3b784faf2df090

KANDYKORN RAT

  • 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
  • 46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
  • 62267b88fa6393bc1f1eeb778e4da6b564b7011e
  • 8d5d214c490eae8f61325839fcc17277e514301e
  • 8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
  • 9f97edbc1454ef66d6095f979502d17067215a9d
  • ac336c5082c2606ab8c3fb023949dfc0db2064d5
  • c45f514a252632cb3851fe45bed34b175370d594
  • ce3705baf097cd95f8f696f330372dd00996d29a
  • e244ff1d8e66558a443610200476f98f653b8519
  • e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
  • e77270ac0ea05496dd5a2fbccba3e24eb9b863d9

ObjCShell

  • 79337ccda23c67f8cfd9f43a6d3cf05fd01d1588

SecurePDF Viewer

  • a1a8a855f64a6b530f5116a3785a693d78ec09c0
  • e275deb68cdff336cb4175819a09dbaf0e1b68f6

Crypto-assets and their risks for financial stability.app

  • 09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
  • 5c93052713f317431bf232a2894658a3a4ebfad9
  • 884cebf1ad0e65f4da60c04bc31f62f796f90d79
  • be903ded39cbc8332cefd9ebbe7a66d95e9d6522

Downloader

  • 060a5d189ccf3fc32a758f1e218f814f6ce81744

Remotely-hosted AppleScript

  • 3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
  • c806c7006950dea6c20d3d2800fe46d9350266b6

Network Communications

  • http[:]//docs-send.online/getBalance/usdt/ethereum
  • https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
  • http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
  • http[:]//tp-globa[.]xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • http[:]//swissborg[.]blog/zxcv/bnm
  • 23.254.226[.]90
  • 104.168.214[.]151
  • 142.11.209[.]144
  • 192.119.64[.]43

File paths

  • /Applications/Discord.app/Contents/MacOS/.log
  • /Applications/Discord.app/Contents/MacOS/appname
  • /Library/Caches/com.apple.safari.ck
  • /tmp/tempXXXXXX
  • /Users/Shared/.pld
  • /Users/Shared/.pw
  • /Users/Shared/.sld

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...