Hackers linked to North Korea are targeting blockchain engineers’ Apple devices with new, advanced malware, researchers have found.
The tactics and techniques used in the campaign overlap with the activity of the North Korean state-sponsored hacker group Lazarus, as reported by cybersecurity firm Elastic Security Labs.
The hackers’ likely goal is to steal cryptocurrencies as part of the North Korean regime’s efforts to evade international sanctions, researchers said.
The engineers work for a cryptocurrency exchange, Elastic said. The report does not specify the company.
To gain access to target systems, the hackers created a Python application masquerading as a cryptocurrency arbitrage bot – a program that automatically buys and sells cryptocurrencies to profit from price differences on different crypto exchanges -cash.
This application was delivered to potential victims via a direct message on a public Discord server popular among blockchain engineers, the researchers said.
This intrusion targeted devices running macOS, typically Apple laptops or desktops. The hackers attempted to load malicious payloads into memory, which is atypical behavior for macOS intrusions, the researchers said.
The hackers ultimately attempted to infect victims with malware that researchers call Kandykorn. It is an advanced implant capable of accessing and exfiltrating data from the victim’s computer, downloading and executing additional payloads, and killing processes, all while avoiding being detected, Elastic said.
The campaign began as early as April and remains active, the researchers said, with continued development of tools and techniques. It is not known how many victims were infected by the malware or whether any cryptocurrency was stolen.
In October, researchers reported that Lazarus had exploited a vulnerability at a “leading” software company to target its customers. The hackers used the SIGNBT and LPEClient malware strains to collect information from victims’ devices and steal login credentials from their systems.
Future saved
Intelligence cloud.
No previous articles
No new articles
Daryna Antoniuk
Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.