Security researchers have identified an attempt by state-sponsored hackers from the Democratic People’s Republic of Korea (DPRK) to infect blockchain engineers belonging to an undisclosed crypto exchange platform with a new form of macOS malware.
On October 31, Elastic Security Labs disclosed the intrusion, which uses custom and open-source capabilities for initial access and post-exploitation on Mac, all beginning with Discord…
Elastic calls this form of macOS malware “Kandykorn,” tracked as REF7001, and attributes its existence to the DPRK’s infamous cybercrime enterprise Lazarus Group after finding overlaps in the network infrastructure and techniques used.
Lazarus hackers used Discord to impersonate blockchain engineering community members, convincing them to download and decompress a ZIP archive containing malicious Python code (Kandykorn). Meanwhile, victims believed they were installing an arbitrage bot to profit from cryptocurrency rate differences.
“Kandykorn is an advanced implant with various capabilities to monitor, interact with, and avoid detection,” researchers with Elastic stated on Tuesday. “It utilizes reflective loading, a direct-memory form of execution that may bypass detections.”
The execution flow of REF7001 consists of five stages:
- Initial compromise: Threat actors target blockchain engineers with the camouflaged arbitrage bot Python application called Watcher.py. This is distributed in a .zip file titled “Cross-Platform Bridges.zip.”
- Network connection: If the victim successfully installs the malicious Python code, an outbound network connection is established to intermediate dropper scripts to download and execute Sugerloader.
- Payload: Obfuscated binary, Sugarloader, is used for initial access on the macOS system and initializes for the final stage.
- Persistence:…
read more 9to5mac.com
