North Korean Hackers Attacking MacOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution of malicious code.

All these documents contain malicious code or macros, often disguised as familiar files, which help hackers gain unauthorized access and deliver malware to their targets.

Recently, the cybersecurity researchers at SentinelOne reported that North Korean hackers are actively attacking the macOS using weaponized documents.

Hackers Attacking MacOS

North Korean threat actors focused on macOS in 2023 with two major campaigns, and here below, we have mentioned those major campaigns:-

  • RustBucket
  • KandyKorn

RustBucket employed ‘SwiftLoader,’ disguising itself as a PDF Viewer, to deliver a Rust-written second-stage malware.

While in the KandyKorn campaign, Python scripts targeted blockchain engineers, delivering a C++ backdoor RAT named ‘KandyKorn’ after hijacking the Discord app on hosts.

A five-stage attack targeted users through Discord, using social engineering to trick them into downloading a malicious Python app.

This Python app is disguised as a crypto arbitrage bot that is distributed as Cross-Platform “Bridges.zip,” and the app contains several harmless Python scripts.

Bridges.zip contents (Source - SentinelOne)
Bridges.zip contents (Source – SentinelOne)

Here below, we have mentioned all the stages:-

  • Stage 0: In this stage, the Discord user is tricked into downloading a malicious Python app, Cross-Platform Bridges.zip. Then, the malware links are sent via direct message and hosted on Google Drive. Then, as a module, the app’s Main.py script imports Watcher.py.
  • Stage 1: In this stage, Watcher.py verifies the Python version and runs testSpeed.py, which downloads and executes FinderTools. After execution, testSpeed.py is removed, and then the “FinderTools” is saved at /Users/Shared/FinderTools.
  • Stage 2: In this stage, the FinderTools runs SUGARLOADER from /Users/Shared/.sld, copying it as .log and appname in /Applications/Discord.app/Contents/MacOS/. SUGARLOADER, coded in C++, looks for a config file at /Library/Caches/com.apple.safari.ck, downloading from C2 if absent. After that, the FinderTools links C2 tp.globa.xyz in the intrusion observed by the cybersecurity researchers.
  • Stage 3: In this stage, the SUGARLOADER downloads HLOADER, replaces genuine Discord, and sets up a stealthy persistence mechanism in /Applications/Discord.app/Contents/MacOS/Discord. HLOADER cleverly disguises itself as MacOS.tmp, ensuring continuous undetected execution alongside Discord. Apple’s login item monitoring remains unaware to this smart renaming/reloading strategy, enhancing persistence.
  • Stage 4: In this stage, from the com.apple.safari.ck the SUGARLOADER grabs the C2 URL to fetch and run the KANDYKORN via NSCreateObjectFileImageFromMemory and NSLinkModule. It’s a North Korean macOS malware technique seen in UnionCryptoTrader (2019).

North Korean threat actors have an evolving campaign named RustBucket, using the Swift-based app SecurePDF Viewer.app. It’s signed by “BBQ BAZAAR PRIVATE LIMITED” and reaches out to docs-send.online.

Another variant, Crypto-assets app.zip, signed by “Northwest Tech-Con Systems Ltd,” connects to on-global.xyz, dropping an executable at /Users/Shared/.pw.

This .pw file, associated with KandyKorn, references /Users/Shared/.pld, matching KandyKorn RAT, indicating shared infrastructure, objectives, and TTPs.

IOCs

SUGARLOADER

  • d28830d87fc71091f003818ef08ff0b723b3f358

HLOADER

  • 43f987c15ae67b1183c4c442dc3b784faf2df090

KANDYKORN RAT

  • 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
  • 46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
  • 62267b88fa6393bc1f1eeb778e4da6b564b7011e
  • 8d5d214c490eae8f61325839fcc17277e514301e
  • 8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
  • 9f97edbc1454ef66d6095f979502d17067215a9d
  • ac336c5082c2606ab8c3fb023949dfc0db2064d5
  • c45f514a252632cb3851fe45bed34b175370d594
  • ce3705baf097cd95f8f696f330372dd00996d29a
  • e244ff1d8e66558a443610200476f98f653b8519
  • e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
  • e77270ac0ea05496dd5a2fbccba3e24eb9b863d9

ObjCShell

  • 79337ccda23c67f8cfd9f43a6d3cf05fd01d1588

SecurePDF Viewer

  • a1a8a855f64a6b530f5116a3785a693d78ec09c0
  • e275deb68cdff336cb4175819a09dbaf0e1b68f6

Crypto-assets and their risks for financial stability.app

  • 09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
  • 5c93052713f317431bf232a2894658a3a4ebfad9
  • 884cebf1ad0e65f4da60c04bc31f62f796f90d79
  • be903ded39cbc8332cefd9ebbe7a66d95e9d6522

Downloader

  • 060a5d189ccf3fc32a758f1e218f814f6ce81744

Remotely-hosted AppleScript

  • 3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
  • c806c7006950dea6c20d3d2800fe46d9350266b6

Network Communications

  • http[:]//docs-send.online/getBalance/usdt/ethereum
  • https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
  • http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
  • http[:]//tp-globa[.]xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • http[:]//swissborg[.]blog/zxcv/bnm
  • 23.254.226[.]90
  • 104.168.214[.]151
  • 142.11.209[.]144
  • 192.119.64[.]43

File paths

  • /Applications/Discord.app/Contents/MacOS/.log
  • /Applications/Discord.app/Contents/MacOS/appname
  • /Library/Caches/com.apple.safari.ck
  • /tmp/tempXXXXXX
  • /Users/Shared/.pld
  • /Users/Shared/.pw
  • /Users/Shared/.sld