Saturday, June 15, 2024

North Korean Hackers Attacking macOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution of malicious code.

All these documents contain malicious code or macros, often disguised as familiar files, which help hackers gain unauthorized access and deliver malware to their targets.

Recently, the cybersecurity researchers at SentinelOne reported that North Korean hackers are actively attacking the macOS using weaponized documents.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Hackers Attacking macOS

North Korean threat actors focused on macOS in 2023 with two major campaigns, and here below, we have mentioned those major campaigns:-

  • RustBucket
  • KandyKorn

RustBucket employed ‘SwiftLoader,’ disguising itself as a PDF Viewer, to deliver a Rust-written second-stage malware. 

While in the KandyKorn campaign, Python scripts targeted blockchain engineers, delivering a C++ backdoor RAT named ‘KandyKorn’ after hijacking the Discord app on hosts.

A five-stage attack targeted users through Discord, using social engineering to trick them into downloading a malicious Python app.

This Python app is disguised as a crypto arbitrage bot that is distributed as Cross-Platform “Bridges.zip,” and the app contains several harmless Python scripts.

Bridges.zip contents (Source - SentinelOne)
Bridges.zip contents (Source – SentinelOne)

Here below, we have mentioned all the stages:-

  • Stage 0: In this stage, the Discord user is tricked into downloading a malicious Python app, Cross-Platform Bridges.zip. Then, the malware links are sent via direct message and hosted on Google Drive. Then, as a module, the app’s Main.py script imports Watcher.py.
  • Stage 1: In this stage, Watcher.py verifies the Python version and runs testSpeed.py, which downloads and executes FinderTools. After execution, testSpeed.py is removed, and then the “FinderTools” is saved at /Users/Shared/FinderTools.
  • Stage 2: In this stage, the FinderTools runs SUGARLOADER from /Users/Shared/.sld, copying it as .log and appname in /Applications/Discord.app/Contents/MacOS/. SUGARLOADER, coded in C++, looks for a config file at /Library/Caches/com.apple.safari.ck, downloading from C2 if absent. After that, the FinderTools links C2 tp.globa.xyz in the intrusion observed by the cybersecurity researchers.
  • Stage 3: In this stage, the SUGARLOADER downloads HLOADER, replaces genuine Discord, and sets up a stealthy persistence mechanism in /Applications/Discord.app/Contents/MacOS/Discord. HLOADER cleverly disguises itself as MacOS.tmp, ensuring continuous undetected execution alongside Discord. Apple’s login item monitoring remains unaware to this smart renaming/reloading strategy, enhancing persistence.
  • Stage 4: In this stage, from the com.apple.safari.ck the SUGARLOADER grabs the C2 URL to fetch and run the KANDYKORN via NSCreateObjectFileImageFromMemory and NSLinkModule. It’s a North Korean macOS malware technique seen in UnionCryptoTrader (2019). 

North Korean threat actors have an evolving campaign named RustBucket, using the Swift-based app SecurePDF Viewer.app. It’s signed by “BBQ BAZAAR PRIVATE LIMITED” and reaches out to docs-send.online. 

Another variant, Crypto-assets app.zip, signed by “Northwest Tech-Con Systems Ltd,” connects to on-global.xyz, dropping an executable at /Users/Shared/.pw. 

This .pw file, associated with KandyKorn, references /Users/Shared/.pld, matching KandyKorn RAT, indicating shared infrastructure, objectives, and TTPs.

IOCs

SUGARLOADER

  • d28830d87fc71091f003818ef08ff0b723b3f358

HLOADER

  • 43f987c15ae67b1183c4c442dc3b784faf2df090

KANDYKORN RAT

  • 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
  • 46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
  • 62267b88fa6393bc1f1eeb778e4da6b564b7011e
  • 8d5d214c490eae8f61325839fcc17277e514301e
  • 8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
  • 9f97edbc1454ef66d6095f979502d17067215a9d
  • ac336c5082c2606ab8c3fb023949dfc0db2064d5
  • c45f514a252632cb3851fe45bed34b175370d594
  • ce3705baf097cd95f8f696f330372dd00996d29a
  • e244ff1d8e66558a443610200476f98f653b8519
  • e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
  • e77270ac0ea05496dd5a2fbccba3e24eb9b863d9

ObjCShell

  • 79337ccda23c67f8cfd9f43a6d3cf05fd01d1588

SecurePDF Viewer

  • a1a8a855f64a6b530f5116a3785a693d78ec09c0
  • e275deb68cdff336cb4175819a09dbaf0e1b68f6

Crypto-assets and their risks for financial stability.app

  • 09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
  • 5c93052713f317431bf232a2894658a3a4ebfad9
  • 884cebf1ad0e65f4da60c04bc31f62f796f90d79
  • be903ded39cbc8332cefd9ebbe7a66d95e9d6522

Downloader

  • 060a5d189ccf3fc32a758f1e218f814f6ce81744

Remotely-hosted AppleScript

  • 3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
  • c806c7006950dea6c20d3d2800fe46d9350266b6

Network Communications

  • http[:]//docs-send.online/getBalance/usdt/ethereum
  • https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
  • http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
  • http[:]//tp-globa[.]xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • http[:]//swissborg[.]blog/zxcv/bnm
  • 23.254.226[.]90
  • 104.168.214[.]151
  • 142.11.209[.]144
  • 192.119.64[.]43

File paths

  • /Applications/Discord.app/Contents/MacOS/.log
  • /Applications/Discord.app/Contents/MacOS/appname
  • /Library/Caches/com.apple.safari.ck
  • /tmp/tempXXXXXX
  • /Users/Shared/.pld
  • /Users/Shared/.pw
  • /Users/Shared/.sld

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles