In a recent report, Elastic Security Labs revealed that the North Korea-linked Lazarus APT group has been actively employing a new macOS malware strain called KandyKorn in targeted attacks against blockchain engineers. The KandyKorn malware exhibits advanced capabilities designed to monitor, interact with, and evade detection. One of its notable features is the use of reflective loading, a direct-memory execution method that can help it bypass security detections.
The attackers behind these campaigns impersonated members of the blockchain engineering community on a public Discord channel used by the community’s members. Their aim was to deceive victims into downloading and decompressing a ZIP archive named “Cross-Platform Bridges.zip,” which contained malicious Python code disguised as an arbitrage bot. Arbitrage bots are legitimate tools that allow users to profit from differences in cryptocurrency rates between various platforms.
The attack chain was orchestrated to infect the target system with the KandyKorn macOS malware. The attack stages involved in the campaign were:
- Stage 0 (Initial Compromise) – Watcher.py
- Stage 1 (Dropper) – testSpeed.py and FinderTools
- Stage 2 (Payload) – .sld and .log – SUGARLOADER
- Stage 3 (Loader) – Discord (fake) – HLOADER
- Stage 4 (Payload) – KANDYKORN
Upon decompressing the archive, it revealed a Main.py script along with a folder named “order_book_recorder,” which contained 13 Python scripts. The SUGARLOADER connected to the command-and-control (C2) server to download the KandyKorn malware and executed it directly in memory.
Researchers at Elastic Security traced this campaign back to April 2023 through the RC4 key used to encrypt the SUGARLOADER and KandyKorn C2 communications.
KandyKorn boasts a wide range of capabilities, including information harvesting, directory and process listing, file downloading and uploading, archiving and exfiltrating directories, process termination, command execution using a terminal, shell spawning, configuration retrieval from the server, sleep functionality, and the ability to exit.
The Lazarus Group, linked to North Korea, continues to target cryptocurrency industry organizations in efforts to evade international sanctions and finance its military operations. These intrusions specifically targeted blockchain engineers, capitalizing on their skills and interests while promising financial gains.
The persistence and sophistication of such attacks highlight the need for heightened cybersecurity measures in the cryptocurrency industry and emphasize the ongoing challenges in defending against state-sponsored threat actors.