North Korean hackers are using novel MacOS malware named KandyKorn to target blockchain engineers of a cryptocurrency exchange platform.
The attack
By impersonating blockchain engineering community members on Discord, the attackers used social engineering techniques to make victims download a malicious ZIP file.
The victims believe they are installing an arbitrage bot, i.e., crypto trading software, but they end up downloading a Python file (Main.py), which downloads and executes Watcher.py, which is used for staging the system for further downloads. Watcher.py downloads and executes several intermediate dropper Python scripts, which fetch an obfuscated binary named Sugarloader from a Google Drive URL.
Another loader (Hloader), posing as the legitimate Discord app, is used as a persistence mechanism and to load Sugarloader. Sugarloader establishes the connection to a C2 server to download and execute the KandyKorn malware directly into memory.
KandyKorn execution flow. (Source: Elastic Security Labs)
The macOS KandyKorn malware
“Once communication is established, KandyKorn awaits commands from the server. This is an interesting characteristic in that the malware waits for commands instead of polling for commands. This would reduce the number of endpoint and network artifacts generated and provide a way to limit potential discovery,” Elastic Security Labs researchers explained.
KandyKorn is a remote access trojan (RAT) capable of performing encrypted C2 communications, enumerating systems, uploading and executing additional malicious payloads, compressing and exfiltrating data, and more.
“Elastic traced this campaign to April 2023 through the RC4 key used to encrypt the Sugarloader and KandyKorn C2. This threat is still active and the tools and techniques are being continuously developed,” the researchers said.
Cryptocurrency companies under attack
The researchers attributed this activity to North Korean hackers (i.e., the Lazarus Group) based on the techniques, network infrastructure, and code-signing certificates used in the campaign, and custom Lazarus Group detection rules.
In recent years, North Korean hackers have shown a growing interest in targeting cryptocurrency companies.
These cyberattacks pose a significant threat to the digital assets and security of the cryptocurrency industry as North Korea seeks to bypass international sanctions and generate revenue for the internationally politically isolated state.