The obfuscation technique observed by SentinelOne is in line with this, having combined the dropper module of RustBucket, an activity cluster linked to the Lazarus Group first observed in May, to deliver the KandyKorn RAT payload, first reported by Elastic Security Labs earlier this month.
The RustBucket campaign uses a backdoored PDF viewer, SwiftLoader, to read a lure document sent to users. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in the Rust language.
KandyKorn, on the other hand, is a multiphase campaign aimed at blockchain engineers working on a cryptocurrency exchange platform. The miscreants employed Python scripts to deploy malware, seizing control of the host’s Discord application, and then introducing a backdoor RAT coded in C++, referred to as “KandyKorn.”
The shared infrastructure allows the attackers to use SwiftLoader for installing HLoader, a payload targeted at Discord application that enables persistence through frequent launches of the application, thereby evading detection. Additionally, SentinelOne found traces of ObjCShellz as a later-stage payload written in Objective-C to maintain persistent remote access.