Kandykorn Malware

Cyber attackers supported by the government of the Democratic People's Republic of Korea (DPRK) have been identified as targeting blockchain experts associated with an unspecified cryptocurrency exchange platform through the messaging platform Discord. They have employed a new macOS malware called KANDYKORN. This threatening operation can be traced back to April 2023 and shares similarities with the notorious hacking group known as the Lazarus Group, as indicated by an examination of the network infrastructure and tactics utilized.

The attackers enticed blockchain professionals using a Python application to establish an initial foothold within the targeted environment. The intrusion consisted of multiple intricate phases, with each one incorporating deliberate techniques to evade detection and bypass security measures.

The Threat Actors Used Social-Engineering Lures to Deploy the Kandykorn Malware

The Lazarus Group's utilization of macOS malware in their operations is not a recent development. In the past year, this threat actor was observed disseminating a tampered PDF application, which eventually led to the deployment of RustBucket, a backdoor based on AppleScript. RustBucket had the capability to retrieve a second-stage payload from a remote server.

What distinguishes the new campaign is the attacker's tactic of posing as blockchain engineers on a public Discord server and employing social engineering techniques to deceive victims into downloading and executing a ZIP archive containing malicious code.

The victims are made to believe that they are installing an arbitrage bot, a software tool that can exploit differences in cryptocurrency rates across platforms for profit. In reality, this deceptive process sets the stage for the delivery of KANDYKORN, which unfolds through a five-stage progression.

A Multi-Stage Infection Chain Facilitates the Kandykorn Malware Infection

KANDYKORN represents a sophisticated implant endowed with a wide range of functionalities designed for monitoring, interaction, and evasion of detection. It employs reflective loading, a method of direct-memory execution that can potentially evade detection mechanisms.

The initial step in this process involves a Python script, known as 'watcher.py,' which retrieves another Python script, 'testSpeed.py,' hosted on Google Drive. This second Python script acts as a dropper and fetches an additional Python file from a Google Drive URL, named 'FinderTools.'

FinderTools also serves as a dropper, responsible for downloading and executing a concealed second-stage payload referred to as 'SUGARLOADER' (located at /Users/shared/.sld and .log). SUGARLOADER subsequently establishes a connection with a remote server to retrieve KANDYKORN and execute it directly in memory.

SUGARLOADER takes on an additional role by launching a self-signed Swift-based binary called 'HLOADER,' which attempts to masquerade as the legitimate Discord application and execute '.log' (i.e., SUGARLOADER) to achieve persistence through a technique known as execution flow hijacking.

KANDYKORN, serving as the ultimate payload, is a fully-featured memory-resident Remote Access Trojan (RAT) with inherent capabilities for file enumeration, running supplementary malware, exfiltrating data, terminating processes, and executing arbitrary commands.

The presence of KANDYKORN underscores the continuous efforts of the DPRK, particularly through entities like the Lazarus Group, to target cryptocurrency-related businesses. Their primary objective is to steal cryptocurrency in order to circumvent international sanctions that impede the growth of their economy and aspirations.