North Korean hackers linked to the Lazarus Group are suspected of targeting blockchain engineers within the cryptocurrency exchange industry with a new macOS malware dubbed Kandykorn. This cyber intrusion, identified as REF7001 by Elastic Security Labs, involved a blend of custom and open source tools to infiltrate and maintain control over macOS systems.
The attack commenced with threat actors posing as members of the blockchain engineering community on a public Discord server. They lured victims into downloading and unzipping a malicious ZIP archive under the guise of an arbitrage bot designed to capitalize on cryptocurrency rate differentials.
The progression of REF7001 unfolded in five distinct stages:
1. Initial Compromise: A Python application named Watcher.py was disguised as an arbitrage bot and distributed within a ZIP file labeled “Cross-Platform Bridges.zip.”
2. Dropper: TestSpeed.py and FinderTools acted as intermediary dropper scripts to fetch and execute Sugarloader.
3. Payload: Sugarloader, an obfuscated binary, served as the initial access point and loader for the final component, Kandykorn.
4. Loader: Hloader, a payload posing as the legitimate Discord application, ensured the persistence of loading Sugarloader.
5. Payload: Kandykorn, the ultimate stage of the attack, delivered a comprehensive set of functionalities for data access and exfiltration.
Kandykorn communicates with a command-and-control (C2) server using encrypted RC4 and implements a unique handshake mechanism to await instructions rather than actively seek them. The malware’s capabilities encompass file upload and download, process manipulation, and execution of system commands.
Reflective binary loading, a type of fileless execution that resides in memory and evades conventional detection methods, was prominently utilized in this campaign. This tactic has been previously associated with Lazarus Group operations, particularly in endeavors to pilfer cryptocurrency as a means of navigating international sanctions.
The detailed technical report by the Elastic team delves into the intricacies of the attack, offering EQL queries for detection and hunting purposes, as well as insights into the malware’s infrastructure and the application of the Diamond Model to depict the relationships within the intrusion.
For further information on related malware activities, consider exploring the recent advancements in the Alloy Taurus hackers’ PingPull malware, which has been adapted to target Linux systems.
By integrating this information into a WordPress platform, users can stay informed about the evolving landscape of cyber threats and fortify their defenses against sophisticated attacks targeting the cryptocurrency sector.