November 4, 2023 at 12:30PM
The North Korean hacking group, Lazarus, has been using new macOS and Windows malware in recent attacks, according to security researchers. In one attack, Lazarus targeted blockchain engineers at a cryptocurrency exchange platform by impersonating members of the blockchain community and convincing the victim to download an archive containing malicious code. The malware named KandyKorn was executed on the target machine, allowing the attackers to access and exfiltrate data. Lazarus has also been observed attacking victims using a security software for encrypting web communications, after compromising the application vendor through known vulnerabilities. The group deployed a new Windows backdoor called Signbt, which provides full control over the victim machine.
During the meeting, it was discussed that the notorious North Korean hacking group Lazarus has been using new macOS and Windows malware in recent attacks. They targeted blockchain engineers at a cryptocurrency exchange platform with a Python application that provided initial access and loaded binaries in memory. Lazarus impersonated members of the blockchain community on a public Discord channel to convince the victim to download an archive containing malicious code.
The attackers executed a new macOS malware called KandyKorn on the target machine, allowing them to access and exfiltrate data. KandyKorn is an advanced implant with various capabilities to monitor, interact with, and avoid detection. It uses reflective loading, a form of execution that may bypass detections.
Lazarus also launched attacks on victims using a security software for encrypting web communications. They exploited known but unpatched vulnerabilities in the software vendor’s ecosystem. In these attacks, a new Windows backdoor called Signbt was deployed, allowing the attackers full control over the victim machine.
The threat actor behind Lazarus has been refining their tactics, including exploiting vulnerabilities in high-profile software, to efficiently spread their malware once initial infections are achieved.