North Korean state-sponsored hackers have targeted the blockchain engineers from an unnamed cryptocurrency exchange through Discord. These developers were targeted by a novel macOS malware known as KANDYKORN.

According to a report by cybersecurity researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease, threat actors lured blockchain engineers using a Python application to secure initial access to the hacking environment.

The researchers affirmed,

“This intrusion involved multiple complex stages that each employed deliberate defense evasion techniques”

Lazarus Group Launches MacOS Malware Against Blockchain Engineers

It is not the first time the Lazarus Group has used the macOS malware to conduct hacking campaigns.

Earlier this year, the threat actor group was detected distributing a backdoored PDF application, leading to the RustBucket deployment. RustBucket is a backdoor based on AppleScript. The backdoor is used to retrieve second-stage payload from remote servers.

This hacking campaign is unique because of the manner by which threat actors have impersonated blockchain engineers within a public Discord server. The hackers have also used social engineering techniques to trick victims into downloading and executing a ZIP archive with malicious code.

The researchers said that victims were tricked into installing an arbitrate bot. Cryptocurrency traders use this bot to profit from the differences in cryptocurrency rates between platforms.

The researchers noted,

KANDYKORN is an advanced implant with various capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections.

How the Malware Works

The malware starts with a Python script that retrieves another Python script hosted on Google Drive. The dropper collects one more Python file from a Google Drive URL known as FinderTools.

FinderTools also operates like a dropper to download and execute a hidden second-stage payload known as SUGARLOADER. This payload will connect to a remote server to retrieve KANDYKORN and run this malware directly in memory.

The SUGARLOADER malware launches a self-signed binary known as HLOADER. This binary operates like the legitimate Discord application to achieve persistence using execution flow hijacking.

KANDYKORN is deployed as the final-stage payload, and it comes with a full-featured memory resident RAT. It also contains in-built capabilities for fine enumeration, running additional malware, exfiltrating data, terminating processes, and running arbitrary commands.

The researchers further said that North Korea uses units such as the Lazarus Group to target businesses in the cryptocurrency sector to steal crypto assets and violate international sanctions.