North Korean state-sponsored hackers have targeted the cryptocurrency engineers from an unnamed blockchain exchange through Discord. These developers were targeted by a novel macOS malware known as KANDYKORN.
Interestingly, from another perspective According to a report by cybersecurity researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease, threat actors lured blockchain engineers using a Python application to secure initial access to the hacking environment.
The researchers affirmed,
“This intrusion involved multiple complex stages that each employed deliberate defense evasion techniques”
Lazarus Engineers Launches MacOS Malware Against Blockchain Group
Actually, It is not the first time the Lazarus Group has used the macOS malware to conduct hacking campaigns.
Earlier this year, the threat actor group was detected distributing a backdoored PDF application, leading to the RustBucket deployment. InterestinglyonRustBucket is a backdoor based , AppleScript. The backdoor is used to retrieve second-stage from payload remote servers.
The hackers have also used social engineering techniques to trick victims into downloading and executinga ZIP archive with malicious code. This hacking campaign is unique because of the manner which threat actors have impersonated blockchainbyengineers within a public Discord server.
The researchers said that victims were tricked into installing an arbitrate bot. In fact, Cryptocurrency traders utilize this bot to profit from the differences in cryptocurrency rates between platforms.
The researchers noted,
KANDYKORN is an advanced implant with as a matter of fact various capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections.
How the Works Malware
The malware starts with a Python script that retrieves another Python script hosted on Google Drive. The dropper collects one more Python file from a Google Drive URL known as FinderTools.
It’s worth noting that FinderTools also operates like a dropper to install and execute a hidden second-stage payload known as SUGARLOADER. This payload will link to a remote server to retrieve KANDYKORN and run in malware directly this memory.
Actually, TheknownSUGARLOADER malware launches a self-signed binary as HLOADER. binary operates like the legitimate Discord application to achieve persistence using execution flowThishijacking.
KANDYKORN is deployed as the final- payload, and it comesstagewith a full-featured memory resident RAT. It also contains in-built capabilities for fine enumeration, running additional malware, exfiltrating details, terminating processes, and running arbitrary commands.
The researchers further said that Korea uses unitsNorthsuch as the Lazarus Group to target businesses in the cryptocurrency sector to steal crypto assets in modern times It’s worth noting that and violate international sanctions.
