Pierluigi Paganini November 05, 2023

North Korea-linked Lazarus group is using new KandyKorn macOS Malware in attacks against blockchain engineers.

North Korea-linked Lazarus APT group were spotted using new KandyKorn macOS malware in attacks against blockchain engineers, reported Elastic Security Labs.

“KandyKorn is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections,” notes Elastic Security, which identified and analyzed the threat.” reads the report.

Threat actors impersonated blockchain engineering community members on a public Discord used by members of this community. The attackers attempted to trick victims into downloading and decompress a ZIP archive (Cross-Platform Bridges.zip) containing the malicious Python code masqueraded by an arbitrage bot. An arbitrage bot is a tool that allows users to profit from cryptocurrency rate differences between platforms.

The attack chain aimed at infecting the target system with the KANDYKORN macOS malware.

Below is the sequence of malicious code employed in the attack:

• Stage 0 (Initial Compromise) – Watcher.py
• Stage 1 (Dropper) – testSpeed.py and FinderTools
• Stage 2 (Payload) – .sld and .log – SUGARLOADER
• Stage 3 (Loader)- Discord (fake) – HLOADER
• Stage 4 (Payload) – KANDYKORN

Decompressing the archive, it reveals a Main.py script along with the folder named order_book_recorder, which contains 13 Python scripts.

The SUGARLOADER connects to the C2 server to download the KANDYKORN and executes it directly in memory.

Elastic researchers traced this campaign to April 2023 through the RC4 key used to encrypt the SUGARLOADER and KANDYKORN C2.

The malware supports multiple capabilities such as harvesting information, listing directories and running processes, downloading files, uploading files, archiving directories and exfiltrating them, killing processes, executing commands using a terminal, spawning a shell, downloading a configuration from the server, sleeping, and exiting.

North Korea-linked threat actors continue to target organizations in the cryptocurrency industry to circumvent international sanctions and finance its military operations.

“The DPRK, via units like the LAZARUS GROUP, continues to target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions. In this intrusion, they targeted blockchain engineers active on a public chat server with a lure designed to speak to their skills and interests, with the underlying promise of financial gain.” concludes the report. “The infection required interactivity from the victim that would still be expected had the lure been legitimate.”

The campaign is still active and the enhance its tactics, techniques and procedures, Elastic warns.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)