North Korean hackers believed to be associated with the Lazarus Group have been observed targeting blockchain engineers involved in cryptocurrency exchanges with a new macOS malware named Kandykorn.
This intrusion, identified as REF7001 by Elastic Security Labs, used a combination of custom and open source features to gain initial access and post-exploitation on macOS systems.
In an advisory published today, security experts said the intrusion began when attackers posed as members of the blockchain engineering community on a public Discord server, convincing victims to download and unzip a ZIP archive containing malicious code. The victim thought she was installing an arbitrage bot to take advantage of cryptocurrency rate differences.
The REF7001 execution flow consisted of five steps:
-
Initial compromise: A Python application named Watcher.py was disguised as an arbitrage bot and distributed in a .zip file titled “Cross-Platform Bridges.zip.”
-
Dropper: TestSpeed.py and FinderTools were used as intermediate dropper scripts to download and run Sugarloader.
-
Payload: Sugarloader, an obfuscated binary, was used for initial access and as a loader for the final stage, Kandykorn.
-
Loader: Hloader, a payload masquerading as the legitimate Discord app, was used as a persistence mechanism to load Sugarloader.
-
Payload: Kandykorn, the final stage of the intrusion, provided a comprehensive feature set for data access and exfiltration.
The Kandykorn malware communicates with a command and control (C2) server using encrypted RC4 and uses a unique handshake mechanism, waiting for commands instead of polling for them. The Elastic report details various commands that Kandykorn can execute, including uploading and downloading files, manipulating processes, and executing arbitrary system commands.
The Elastic team highlighted the use of reflective binary loading, a form of memory-resident execution that can bypass traditional detection methods. This kind of fileless execution has already been observed during attacks carried out by the Lazarus group, with emphasis on steal cryptocurrency to circumvent international sanctions.
THE technical writing provides detailed technical details, including EQL queries for search and detection, as well as information about the malware infrastructure and the Diamond model used to describe intrusion relationships.