North Korean hackers believed to be linked to the Lazarus Group have recently been identified targeting blockchain engineers within the cryptocurrency exchange industry using a newly discovered macOS malware dubbed Kandykorn.
This cyber intrusion, known as REF7001 by Elastic Security Labs, involved a sophisticated blend of customized and open source tools to infiltrate and maintain control over macOS systems.
According to a recent advisory released by security experts, the attack commenced with hackers posing as members of the blockchain engineering community on a public Discord server. They convinced their targets to download and extract a ZIP file containing malicious code under the guise of an arbitrage bot designed to capitalize on cryptocurrency rate differentials.
The attack unfolded through five distinct stages:
Initial Compromise: A Python application named Watcher.py was concealed within a ZIP file labeled “Cross-Platform Bridges.zip” and presented as an arbitrage bot.
Dropper: Intermediate dropper scripts TestSpeed.py and FinderTools were utilized to download and execute Sugarloader.
Payload: Sugarloader, an obfuscated binary, facilitated initial access and served as a loader for the final stage, Kandykorn.
Loader: Hloader, a payload disguised as the legitimate Discord application, was employed for persistence in loading Sugarloader.
Payload: Kandykorn, the ultimate phase of the attack, furnished a comprehensive array of functionalities for data access and exfiltration.
Kandykorn malware establishes communication with a command-and-control (C2) server using encrypted RC4 and incorporates a unique handshake mechanism, awaiting commands rather than actively seeking them. The malware is capable of executing various commands, such as file uploads and downloads, process manipulation, and running arbitrary system commands.
The Elastic report underscored the usage of reflective binary loading, a memory-resident execution method that can evade conventional detection techniques. This form of fileless execution has been previously observed in Lazarus Group attacks, which have a history of targeting cryptocurrency to evade international sanctions.
The technical documentation offers in-depth insights into the malware’s infrastructure, the Diamond Model utilized to illustrate the attack’s relationships, and includes EQL queries for hunting and detection purposes.
For further information on similar malware threats, refer to our recent article on Alloy Taurus hackers updating PingPull malware to target Linux systems.
Stay informed and vigilant against evolving cyber threats by staying updated on the latest security developments in the cryptocurrency and blockchain sectors.