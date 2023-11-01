Threats IT coming from the so-called Democratic People’s Republic of Korea (DPRK), i.e. the famous Lazarus group, which has been talked about several times, targeted blockchain engineers at an unnamed crypto exchange via Discord with new macOS malware called KANDYKORN.

What we know about KANDYKORN

Elastic Security Labs said the activity, dating back to April 2023, has overlaps with the infamous hacker group “Lazarus Group” (Lazarus Group), citing an analysis of the network infrastructure and techniques used.

“The bad guys [gli hacker nordcoreani] have attracted blockchain engineers with a Python application to get initial access to the environment“, they have stated cybersecurity researchers Ricardo Ungureanu, Seth Goodwin and Andrew Pease in a report released today, adding: “This intrusion involved several complex phases, each of which employed deliberate defense evasion techniques.”

It should be noted that This is not the first time the Lazarus group has used macOS malware in its attacks; so much so that earlier this year, the group was seen distributing a backdoor PDF application that led to the distribution of RustBucket, an AppleScript-based backdoor capable of retrieving a second-layer payload from a remote server.

What makes the new campaign special is the fact that attackers impersonate blockchain engineers on a public Discord serverusing social engineering lures to trick victims into downloading and executing a ZIP file containing malicious code.

“The victim believed he was installing a arbitrage bota software tool capable of profit from differences in cryptocurrency rates between platforms“the researchers said. But in reality, the attack chain paved the way for the distribution of KANDYKORN following a five-step process.

“KANDYKORN is an advanced plant with diverse capabilities to monitor, interact and avoid detection“said the researchers. “It uses reflex loading, a form of direct memory execution that can evade detection.”

The starting point is a Python script (watcher.py), which retrieves another Python script (testSpeed.py) hosted on Google Drive; this dropper, in turn, retrieves another Python file from a Google Drive URL, called FinderTools.

FinderTools also acts as a dropper, downloading and executing a hidden second-layer payload called SUGARLOADER (/Users/shared/.sld and .log) which ultimately connects to a remote server to fetch KANDYKORN and run it directly in memory.

SUGARLOADER is also responsible for launching a self-signature authenticated Swift binary known as HLOADERwhich tries to pass itself off as the legitimate Discord application and runs .log (i.e. SUGARLOADER) to achieve persistence in the attack using a method called execution flow hijacking.

KANDYKORN, which is the last stage payload, is a memory-resident RAT complete with functionality to enumerate files, execute additional malware, exfiltrate data, terminate processes, and execute arbitrary commands.

“The DPRK, through units such as the Lazarus Group, continues to target crypto businesses with the aim of stealing cryptocurrencies in order to circumvent the international sanctions that hinder the growth of their economy and their ambitions“the researchers said.

Kimsuky returns with updated FastViewer malware

The disclosure comes as the S2W threat analysis team discovered an updated variant of Android spyware called FastViewer, used by a North Korean threat group called Kimsuky (aka APT43), a sister hacker organization to the Lazarus group.

FastViewer, documented for the first time by the South Korean cybersecurity company in October 2022, exploits Android Accessibility Services to surreptitiously collect sensitive data from compromised devicesmasquerading as seemingly harmless security or e-commerce applications propagated via phishing or smishing.

It is also designed to download a second-level malware called FastSpy, based on the AndroSpy open source project, to execute data collection and exfiltration commands.

“The variant has been in production since at least July 2023 and, like the initial version, Has been found to induce installation by distributing repackaged APKs that include malicious code in legitimate applications“, has declared S2W.

A notable aspect of the new version is the integration of FastSpy functionality into FastViewer, eliminating the need to download additional malware; That said, S2W said there are “no known cases of this variant distributed in the wild.”