Throughout the year, North Korean hacker groups have carried out numerous targeted attacks. The latest targets Macs specifically and shows that hackers have evolved their organization to make it more efficient.
North Korean hackers have been very active this year. The groups carry out frequent and increasingly sophisticated attacks. This summer, a group identified as Kimsuky embarked on a social engineering campaign targeting the U.S. government, politicians, academics and journalists to obtain sensitive information about South Korea. More surprisingly, since North Korea supplies munitions to Russia, two other groups infiltrated in synchrony the systems of the Russian missile manufacturer , NPO Mashinostroyeniya. Today, these players operate tools that specifically target Macs. Originally, they came from two different attack campaigns identified as RustBucket and KandyKorn by cybersecurity researchers at SentinelOne .
North Korean hackers are getting organized
In the latest maneuvers, it appears that the tools of these two campaigns are now intertwined. Called RustBucket , the operation consists of contaminating the target with a PDF reader called “ SecurePDF Viewer.app ” which until recently had certification from Apple, but which has variations. Once opened, the file unlocks a code that downloads the payload called KandyKorn . This is intended to directly attack the blockchain engineers of a cryptocurrency exchange platform . A third piece of the puzzle, called ObjCShellz, finally allows you to take control of the computer infected. While Sentinel One does not indicate the final objective of these attacks or who they specifically targeted, this type of maneuver shows that North Korean hacker groups are evolving their organization by exploiting shared infrastructure and collaborative missions. This “mixing” allows them to gain in stealth, in speed, and to better adapt to defense systems.