North Korean hackers suspected to be associated with the Lazarus Group have been observed targeting blockchain engineers involved in cryptocurrency exchange platforms with a new macOS malware named Kandykorn.
This intrusion, tracked as REF7001 by Elastic Security Labs, utilized a combination of custom and open source capabilities to gain initial access and post-exploitation on macOS systems.
Writing in an advisory published today, the security experts said the intrusion began when attackers impersonated members of the blockchain engineering community on a public Discord server, convincing victims to download and decompress a ZIP archive containing malicious code. The victim believed they were installing an arbitrage bot to profit from cryptocurrency rate differences.
The execution flow of REF7001 involved five stages:
Initial Compromise: A Python application named Watcher.py was camouflaged as an arbitrage bot and was distributed in a .zip file titled “Cross-Platform Bridges.zip.”
Dropper: TestSpeed.py and FinderTools were used as intermediate dropper scripts to download and execute Sugarloader.
Payload: Sugarloader, an obfuscated binary, was used for initial access and as a loader for the final stage, Kandykorn.
Loader: Hloader, a payload masquerading as the legitimate Discord application, was used as a persistence mechanism for loading Sugarloader.
Payload: Kandykorn, the final stage of the intrusion, provided a full-featured set of capabilities for data access and exfiltration.
The Kandykorn malware communicates with a command-and-control (C2) server using encrypted RC4 and utilizes a unique handshake mechanism, waiting for commands instead of polling for them. The Elastic report details various commands that Kandykorn can execute, including file upload and download, process manipulation and execution of arbitrary system commands.
The Elastic team highlighted the use of reflective binary loading, a memory-resident form of execution that can bypass traditional detection methods. This type of fileless execution has been previously witnessed in attacks carried out by the Lazarus Group, with a focus on stealing cryptocurrency to circumvent international sanctions.
The technical write-up provides extensive technical details, including EQL queries for hunting and detection, as well as insights into the malware’s infrastructure and the Diamond Model used to describe the intrusion’s relationships.