State-sponsored threat actors from the Democratic People’s Republic of Korea (DPRK) have recently been discovered targeting blockchain engineers associated with an undisclosed cryptocurrency exchange platform. The attacks, originating from April 2023, involve the use of a previously unseen macOS malware known as KANDYKORN, and have raised concerns within the cybersecurity community.
Elastic Security Labs, an influential player in the cybersecurity research landscape, has closely monitored this activity and has highlighted striking similarities with the notorious Lazarus Group, a well-known adversarial collective. These observations are based on a thorough analysis of the attackers’ network infrastructure and the techniques they employ.
The intrusion, as outlined in a report published by security researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease, began with the perpetrators luring blockchain engineers into their trap using a Python application. This was the initial point of access for the threat actors, setting in motion a multi-stage attack that involved sophisticated defense evasion tactics at each step.
What distinguishes this campaign from previous Lazarus Group activities is the perpetrators’ clever impersonation of blockchain engineers within a public Discord server. They used social engineering tactics to deceive victims into downloading and executing a ZIP archive that contained malicious code. The victims believed they were installing an arbitrage bot, a seemingly legitimate software tool designed to capitalize on cryptocurrency rate disparities between various platforms. In reality, this innocuous-sounding action paved the way for the deployment of KANDYKORN, a five-stage process that followed.
KANDYKORN is described as a highly advanced implant with a diverse range of capabilities. It can monitor, interact with systems, and evade detection effectively. One of its key features is reflective loading, a form of direct-memory execution that may help it evade common detection methods.
The attack begins with a Python script known as “watcher.py,” which retrieves another Python script, “testSpeed.py,” hosted on Google Drive. This dropper, in turn, fetches yet another Python file from a Google Drive URL, named “FinderTools.” FinderTools serves as a dropper, downloading and executing a concealed second-stage payload referred to as “SUGARLOADER” (/Users/shared/.sld and .log). SUGARLOADER establishes a connection with a remote server and retrieves KANDYKORN, executing it directly in memory.
SUGARLOADER also plays a critical role in launching a Swift-based self-signed binary known as “HLOADER,” which attempts to masquerade as the legitimate Discord application and executes “.log” (i.e., SUGARLOADER) to establish persistence through a method known as execution flow hijacking.
KANDYKORN, the ultimate payload in this chain, is a comprehensive memory-resident Remote Access Trojan (RAT). It possesses the capability to enumerate files, execute additional malware, exfiltrate data, terminate processes, and run arbitrary commands.
Researchers warn that the DPRK, primarily through entities like the LAZARUS GROUP, continues to target businesses within the crypto industry with the aim of pilfering cryptocurrency. Their objective is to bypass international sanctions that have hindered their economic growth and ambitions.
This discovery is significant in the context of ongoing cybersecurity concerns, as it sheds light on the evolving strategies employed by state-sponsored threat actors. It is essential for organizations and individuals within the cryptocurrency space to remain vigilant and prioritize security measures to protect their assets and data from such sophisticated threats.
In a related development, the S2W Threat Analysis team has uncovered an updated variant of Android spyware known as FastViewer. This spyware is associated with a North Korean threat cluster known as Kimsuky, which is considered a sister hacking group of the Lazarus Group.
FastViewer, initially documented in October 2022 by a South Korean cybersecurity firm, exploits Android’s accessibility services to clandestinely harvest sensitive data from compromised devices. It does so by disguising itself as seemingly harmless security or e-commerce apps that are distributed through phishing or smishing techniques.
The new version of FastViewer, in production since at least July 2023, has integrated the functionality of FastSpy, a second-stage malware, into itself, eliminating the need to download additional malicious software. While this variant has been identified, there are currently no known cases of it being distributed in the wild. Nonetheless, this discovery underscores the constant evolution of cyber threats and the need for continued vigilance in the face of such risks.
