State-sponsored threat actors from the Democratic People’s Republic of Korea (DPRK) have been discovered targeting blockchain engineers associated with an undisclosed cryptocurrency exchange platform. This operation, which was initiated in April 2023, involved a novel macOS malware known as KANDYKORN.
Researchers at Elastic Security Labs have linked this activity to the infamous Lazarus Group, an adversarial collective with a history of cyber espionage and financial crimes. The threat actors used a Python application to lure blockchain engineers, gaining initial access to their environment. This intrusion consisted of multiple intricate stages, each employing sophisticated defence evasion techniques.
What sets this campaign apart is the attackers’ use of social engineering to trick victims on a public Discord server. They impersonated blockchain engineers and enticed their targets to download and execute a ZIP archive containing malicious code. The victims believed they were installing an arbitrage bot, a tool used to profit from cryptocurrency rate differences between platforms. However, this seemingly benign software download paved the way for the delivery of KANDYKORN, a sophisticated macOS malware.
KANDYKORN is an advanced implant with various capabilities, including monitoring, interaction, and evasion of detection. It employs reflective loading, a method of execution that can potentially bypass security measures.
The malware campaign begins with a Python script named “watcher.py,” which retrieves another Python script, “testSpeed.py,” hosted on Google Drive. This initial dropper then fetches an additional Python file, “FinderTools,” from a Google Drive URL. FinderTools also acts as a dropper, downloading and executing a hidden second-stage payload known as SUGARLOADER.
SUGARLOADER connects to a remote server to retrieve KANDYKORN and executes it directly in memory. It also launches a Swift-based self-signed binary called HLOADER, which masquerades as the legitimate Discord application and executes SUGARLOADER to establish persistence through execution flow hijacking.
KANDYKORN, the final-stage payload, is a comprehensive memory-resident Remote Access Trojan (RAT). It has built-in capabilities for file enumeration, running additional malware, data exfiltration, process termination, and executing arbitrary commands.
The DPRK, specifically the Lazarus Group, continues to target crypto-industry businesses, aiming to steal cryptocurrency to circumvent international sanctions that restrict their economic growth.
In a related development, the S2W Threat Analysis team has identified an updated version of an Android spyware called FastViewer, used by a North Korean threat cluster known as Kimsuky (also known as APT43), a sister hacking outfit of the Lazarus Group. FastViewer, first documented in October 2022, exploits Android’s accessibility services to covertly harvest sensitive data from compromised devices. It is typically disguised as benign security or e-commerce apps, distributed through phishing or smishing campaigns. The malware also downloads a second-stage malware called FastSpy for data gathering and exfiltration.
This new variant integrates FastSpy’s functionality directly into FastViewer, eliminating the need to download additional malware. However, there have been no reported cases of this variant being distributed in the wild.
As cybersecurity threats continue to evolve, organizations and individuals in the cryptocurrency and mobile device sectors need to remain vigilant and employ robust security measures to protect their assets and data.
