The Lazarus APT group, which has ties to North Korea, has recently come to the attention of security experts at Elastic Security Labs for deploying a novel macOS malware named KandyKorn in targeted attacks against blockchain engineers. Elastic Security Labs, a prominent cybersecurity research entity, unveiled this development.
According to the findings by Elastic Security Labs, KandyKorn represents a sophisticated implant boasting a diverse range of capabilities, enabling it to monitor, interact with, and elude detection. Notably, KandyKorn employs reflective loading, a method of direct-memory execution that possesses the potential to evade conventional detection mechanisms. Elastic Security Labs, the institution that identified and analyzed this emerging threat, underscored these details in their report.
In the course of these cyber operations, threat actors assumed the guise of members from the blockchain engineering community within a public Discord channel regularly used by community members. Their stratagem involved deceiving unsuspecting victims into downloading and decompressing a ZIP archive labeled “Cross-Platform Bridges.zip,” which concealed malicious Python code masked as an arbitrage bot. Arbitrage bots are tools employed by users to exploit variations in cryptocurrency rates across different platforms.
The overarching goal of the attack chain was to compromise the targeted system with the KandyKorn macOS malware. To achieve this objective, a sequence of malicious code components was utilized:
- Stage 0 (Initial Compromise) – “Watcher.py”
- Stage 1 (Dropper) – “testSpeed.py” and “FinderTools”
- Stage 2 (Payload) – “.sld” and “.log” files, collectively referred to as “SUGARLOADER”
- Stage 3 (Loader) – Deceptive “Discord” application (fake) – “HLOADER”
- Stage 4 (Payload) – The actual KandyKorn malware
Upon decompression of the aforementioned archive, a “Main.py” script and a folder named “order_book_recorder,” housing 13 Python scripts, were revealed. The SUGARLOADER component established a connection with a command and control (C2) server to download KandyKorn and execute it directly within the system’s memory.
Elastic Security researchers managed to trace this campaign back to April 2023, primarily through the use of the RC4 key for encrypting the SUGARLOADER and KandyKorn C2 communications.
KandyKorn, as a malware, boasts a diverse set of functionalities, including information harvesting, directory listing and process execution, file downloads and uploads, archiving directories and exfiltrating data, process termination, terminal command execution, shell spawning, server configuration retrieval, sleep mode, and program termination.
North Korea-linked threat actors persist in their relentless targeting of cryptocurrency-related organizations, a strategy aimed at circumventing international sanctions and financing their military endeavors.
The report concludes, “The DPRK, through units such as the LAZARUS GROUP, continues to target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions. In this intrusion, they targeted blockchain engineers active on a public chat server with a lure designed to speak to their skills and interests, with the underlying promise of financial gain. The infection required interactivity from the victim that would still be expected had the lure been legitimate.”
Elastic Security warns that this campaign remains active and emphasizes that the threat actors behind it are continually refining their tactics, techniques, and procedures to ensure their continued effectiveness.