North Korean hackers suspected to be related to the Lazarus Group have been noticed focusing on blockchain engineers concerned in cryptocurrency change platforms with a brand new macOS malware named Kandykorn.
This intrusion, tracked as REF7001 by Elastic Safety Labs, utilized a mixture of customized and open supply capabilities to achieve preliminary entry and post-exploitation on macOS techniques.
Writing in an advisory printed immediately, the safety specialists mentioned the intrusion started when attackers impersonated members of the blockchain engineering neighborhood on a public Discord server, convincing victims to obtain and decompress a ZIP archive containing malicious code. The sufferer believed they have been putting in an arbitrage bot to revenue from cryptocurrency charge variations.
The execution stream of REF7001 concerned 5 levels:
-
Preliminary Compromise: A Python software named Watcher.py was camouflaged as an arbitrage bot and was distributed in a .zip file titled “Cross-Platform Bridges.zip.”
-
Dropper: TestSpeed.py and FinderTools have been used as intermediate dropper scripts to obtain and execute Sugarloader.
-
Payload: Sugarloader, an obfuscated binary, was used for preliminary entry and as a loader for the ultimate stage, Kandykorn.
-
Loader: Hloader, a payload masquerading because the legit Discord software, was used as a persistence mechanism for loading Sugarloader.
-
Payload: Kandykorn, the ultimate stage of the intrusion, offered a full-featured set of capabilities for knowledge entry and exfiltration.
The Kandykorn malware communicates with a command-and-control (C2) server utilizing encrypted RC4 and makes use of a singular handshake mechanism, ready for instructions as a substitute of polling for them. The Elastic report particulars numerous instructions that Kandykorn can execute, together with file add and obtain, course of manipulation and execution of arbitrary system instructions.
Learn extra on comparable malware: Alloy Taurus Hackers Replace PingPull Malware to Goal Linux Programs
The Elastic workforce highlighted using reflective binary loading, a memory-resident type of execution that may bypass conventional detection strategies. This kind of fileless execution has been beforehand witnessed in assaults carried out by the Lazarus Group, with a concentrate on stealing cryptocurrency to bypass worldwide sanctions.
The technical write-up supplies intensive technical particulars, together with EQL queries for looking and detection, in addition to insights into the malware’s infrastructure and the Diamond Mannequin used to explain the intrusion’s relationships.
