In a sophisticated cyber campaign, North Korean-affiliated hackers are actively targeting the Apple devices of blockchain engineers.
These perpetrators intend to compromise these systems through the use of sophisticated malware, which raises concerns regarding the possible theft of cryptocurrencies.
The research outcomes, which were disclosed on October 31 by Elastic Security Labs, a cybersecurity firm, unveil an intricate and widely coordinated scheme.
The strategies and methods utilized in this offensive demonstrate notable resemblances to those affiliated with Lazarus, a hacker organization supported by the North Korean government.
Elastic Security Labs, in its disclosure of the intrusion, highlighted that the hackers employed a combination of proprietary tools and publicly available functionalities, all of which originated from the widely utilized communication platform Discord.
The macOS malware responsible for these attacks has been identified by Elastic Security Labs as “Kandykorn,” which they trace as REF7001.
The origin of this malware is ascribed to the Lazarus Group, a renowned cybercrime organization based in the DPRK, on the basis of identified similarities in network infrastructure and employed techniques.
It is necessary to specify that although this constitutes a noteworthy and covert assault, it merely represents an exceptional circumstance that should not cause undue concern for the majority of individuals.
The execution of the mechanics governing this operation was meticulous and proficient. Through employing Discord, the hackers assumed the identities of blockchain engineering community members, thus persuading their targets to decompress a ZIP archive that contained Python code that was intended for malicious purposes.
In actuality, this code released Kandykorn, despite its deceptive presentation as an arbitrage bot intended to exploit cryptocurrency rate differences.
The execution flow of REF7001 can be broken down into the following stages:
| Stage | Description |
|---|---|
| Initial Compromise | Threat actors initiated the attack by targeting blockchain engineers with a Python application named “Watcher.py,” posing as an arbitrage bot. Victims received this application in a ZIP file named “Cross-Platform Bridges.zip.” |
| Network Connection | Once the malicious Python code was successfully installed, it established an outbound network connection to intermediary dropper scripts, responsible for downloading and executing “Sugarloader.” |
| Payload | The obfuscated binary, “Sugarloader,” played a pivotal role in gaining initial access to the macOS system, setting the stage for the final phase. |
| Persistence | “Hloader,” disguised as the legitimate Discord application, was launched alongside it to ensure that “Sugarloader” maintained persistence on the compromised systems. |
| Execution | The ultimate stage, “Kandykorn,” was poised to receive commands from the command-and-control (C2) server. This sophisticated malware had a wide range of capabilities, including data access, command execution, introducing additional malicious software, and terminating processes. Communication with the Lazarus Group hackers occurred via C2 servers, employing RC4 data encryption for enhanced security. |
The campaign commenced in April and has maintained its momentum through the continuous creation of tools and strategies.
Nevertheless, it is critical to acknowledge that the extent of the infection and the potential theft of any cryptocurrencies are still unknown.
In October, scholars previously documented Lazarus’ utilization of malware strains SIGNBT and LPEClient to target the consumers of a prominent software vendor by exploiting a vulnerability in the vendor’s software.
