According to Yahoo News, North Korea's hackers are becoming an increasing online threat, with multiple campaigns targeting macOS users. SentinelOne released a report on Monday revealing that in 2023, North Korean-associated hackers conducted major campaigns, RustBucket and KandyKorn, aimed at macOS users. RustBucket utilized SwiftLoader malware as a PDF viewer for a lure PDF document sent to victims, while KandyKorn targeted blockchain engineers of a crypto exchange platform using Python scripts to take over a host's Discord app and install a backdoor RAT (remote access trojan) onto target systems.
Malware creators are blending elements of software from both campaigns, with RustBucket's SwiftLoader appearing in various forms capable of running on both Intel and Apple Silicon hardware. In one instance, a SwiftLoader variant was packaged in a file called 'Crypto-assets and their risks for financial stability.app.zip' and had multiple elements connecting it to KandyKorn. Researchers have 'medium confidence' that the .pld file used in this hybrid refers to the same one used in the KandyKorn RAT itself. SentinelOne's analysis supports findings from other researchers that North Korean-linked threat actors tend to reuse shared infrastructure.
To protect against KandyKorn and RustBucket malware, macOS users should employ common sense and best practices online, such as understanding the sources of files and applications, not opening documents from untrustworthy sources, and staying vigilant with security updates. With hacker interest in macOS approximately ten times that of 2019, Mac users need to be more aware than ever of potential risks, despite Apple's efforts to maintain a secure operating system.