North Korean state-sponsored threat actors are currently targeting blockchain engineers associated with an undisclosed cryptocurrency exchange platform using the new KANDYKORN malware.
Based on reports, they execute their attacks on Discord to spread this novel macOS malware. Moreover, the researchers have identified this operation since April and found connections to the notorious DPRK group Lazarus.
The KANDYKORN malware operators lure their targets using a Python app.
The KANDYKORN malware operators persuade blockchain engineers with a Python application to acquire initial access to the targeted environment. This intrusion involved multiple complex stages, each employing tactics to bypass detection.
The Lazarus Group has previously leveraged macOS malware in their attacks. In one incident this year, they disseminated a compromised PDF application, leading to the deployment of RustBucket. This payload is an AppleScript-based backdoor that could recover a second-stage payload from a remote server.
On the other hand, the new technique employed by the North Korean hackers is impersonating blockchain engineers on a public Discord server. They use social engineering tactics to trick victims into downloading and executing a ZIP archive containing malicious code.
The attackers want the victims to believe they were installing an arbitrage bot, a software tool that capitalises on differences in cryptocurrency exchange rates. Unfortunately, this seemingly harmless software installation initiates a five-stage process that delivers KANDYKORN.
KANDYKORN is a macOS malware with an advanced implant and various functions, such as monitoring, interaction, and evading detection. It utilises reflective loading, a direct-memory execution that could bypass security measures.
The attack begins with a Python script called “watcher.py,” which retrieves another Python script (“testSpeed.py”) from Google Drive. This second Python script is a dropper and retrieves an additional Python file from Google Drive known as “FinderTools.”
FinderTools also acts as a dropper and, when executed, downloads and runs a hidden second-stage payload called “SUGARLOADER” (/Users/Shared/.sld and .log). Subsequently, SUGARLOADER links to a remote server to retrieve KANDYKORN, executing it directly in memory.
SUGARLOADER launches a Swift-based self-signed binary called “HLOADER,” which attempts to impersonate the legitimate Discord app and establishes persistence using execution flow hijacking.
KANDYKORN is a comprehensive memory-resident Remote Access Trojan (RAT) with features that include file enumeration, running additional malware, data exfiltration, process termination, and executing arbitrary commands.
The researchers note that the DPRK, through groups like the Lazarus Group, continues to target businesses in the cryptocurrency industry to steal cryptocurrency and bypass international sanctions that prevent their economic growth and ambitions. Therefore, blockchain engineers should be cautious in engaging with these entities, especially on Discord, to avoid KANDKORN malware infections.
