KandyKorn is a stealthy backdoor designed to extract data, file uploading/downloading, directory listing, process termination, secure deletion, and command execution.
A new macOS malware dubbed KandyKorn is currently targeting devices of unsuspected cryptocurrency users and blockchain engineers. The malware, KandyKorn, has been linked to the North Korean hacking group Lazarus and was discovered by cybersecurity researchers at Elastic Security Labs.
Lazarus, a North Korean state-backed hacking group, targets cryptocurrency exchanges, investors, and critical Western infrastructure for stealing data and crypto funds. The group is attributed to significantly boosting the North Korean economy by stealing hundreds of millions of dollars in recent years.
According to researchers, KandyKorn malware operators target blockchain engineers of a cryptocurrency exchange platform. Researchers noted that KandyKorn is a stealthy backdoor designed to extract data, file uploading/downloading, directory listing, process termination, secure deletion, and command execution.
According to Elastic Security Labs’ research, KandyKorn is a sophisticated malware capable of hijacking macOS devices and deploying additional malware. It is distributed via phishing emails that seem to be sent by legitimate sources like cryptocurrency exchanges or blockchain development companies.
In a blog post, authored by Colson Wilhoit, Rizardo Ungureanu, Seth Goodwin, and Andrew Pease, researchers wrote that users are tricked into downloading a malicious ZIP archive titled ‘Cross-platform Bridges.zip.’
This file imitates an arbitrage bot created for automated profit generation, but actually, it imports thirteen malicious modules. For your information, an arbitrage bot is a software tool that can generate profits from cryptocurrency rate differences across different platforms.
Once the malware is installed on the device, it starts stealing a wide range of data, from cryptocurrency wallet addresses and private keys to transaction history. That’s not all! it can also use the compromised devices to launch attacks against new targets or mine cryptocurrency.
“We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”Elastic Security Labs
The execution flow, as noted by Elastic Security Labs, is as follows:
- Stage 0 (Initial Compromise) – Watcher.py
- Stage 1 (Dropper) – testSpeed.py and FinderTools
- Stage 2 (Payload) – .sld and .log – SUGARLOADER
- Stage 3 (Loader)- Discord (fake) – HLOADER
- Stage 4 (Payload) – KANDYKORN
What makes KandyKorn a bigger threat than many other malware is that it is difficult to detect as it uses multiple techniques to evade detection by security processes and antiviruses.
The reason KandyKorn operators are explicitly targeting the cryptocurrency community and engineers is that they have access to valuable assets like crypto wallets. Therefore, they automatically become attractive targets.
macOS device users must stay alert of this threat and adopt protective measures such as verifying the email source before opening/downloading any attachment, avoiding checking emails from unknown senders, keeping software and applications up to date, including security applications, antiviruses, and operating system, and using strong passwords with 2FA enabled if possible.
- North Korean Hackers Targeting Banks Globally: Report
- South Korea Blames North Korean Hackers For Stealing Bitcoin
- Hackers steal personal details of 1,000 North Korean Defectors
- Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
- South Korean subway system hacked, North Korea a possible culprit
- Elite North Koreans aren’t opposed to exploiting internet for financial gain