North Korean Hackers Tageting Crypto Experts with KANDYKORN macOS Malware

North Korean Hackers Tageting Crypto Experts with KANDYKORN macOS Malware

November 1, 2023 at 05:36AM

State-sponsored threat actors from North Korea’s Lazarus Group have been targeting blockchain engineers of a crypto exchange platform through Discord using a new macOS malware called KANDYKORN. The attacks involve social engineering lures and a multi-stage process to deliver the malware. The Lazarus Group has previously used macOS malware in its attacks. Additionally, a North Korean hacking group called Kimsuky has been found using an updated variant of Android spyware called FastViewer to harvest data from compromised devices.

Key Takeaways from Meeting Notes:

1. State-sponsored threat actors from the Democratic People’s Republic of Korea (DPRK) have been targeting blockchain engineers of an unnamed crypto exchange platform via Discord using a macOS malware called KANDYKORN. This activity has been traced back to April 2023 and shows similarities with the Lazarus Group.

2. The Lazarus Group, known for its previous macOS malware attacks, has used different techniques in the past, including distributing a backdoored PDF application and a RustBucket AppleScript-based backdoor.

3. In the new campaign, threat actors impersonate blockchain engineers on a public Discord server and use social engineering methods to trick victims into downloading a ZIP archive containing malicious code. They claim it is an arbitrage bot, but it actually deploys KANDYKORN through a five-stage process.

4. KANDYKORN is an advanced implant with various capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a form of execution that may bypass detections.

5. The attack chain involves multiple Python scripts hosted on Google Drive, with each script serving as a dropper to download and execute subsequent payloads, including SUGARLOADER and HLOADER.

6. SUGARLOADER connects to a remote server in order to retrieve KANDYKORN and execute it directly in memory. HLOADER masquerades as the legitimate Discord application and achieves persistence through execution flow hijacking.

7. KANDYKORN is a full-featured memory resident RAT (Remote Access Trojan) with capabilities to enumerate files, run additional malware, exfiltrate data, terminate processes, and run arbitrary commands.

8. The motivation behind these attacks by the DPRK, including through units like the Lazarus Group, is to steal cryptocurrency and circumvent international sanctions that impede their economic growth.

9. In a separate development, the Kimsuky threat cluster, linked to the Lazarus Group, has been found to be using an updated variant of Android spyware called FastViewer. FastViewer abuses Android’s accessibility services to collect sensitive data and download a second-stage malware called FastSpy for data gathering and exfiltration.

10. The updated variant integrates the functionality of FastSpy into FastViewer, eliminating the need to download additional malware. However, there are currently no known cases of this variant being distributed in the wild.

Note: The meeting notes focus on the activities of state-sponsored threat actors from the DPRK, particularly the Lazarus Group, targeting blockchain engineers and using macOS and Android malwares. The purpose of these attacks is to steal cryptocurrency and evade international sanctions.

Full Article