KandyKorn macOS malware lobbed at blockchain engineers

North Korean hackers are using novel MacOS malware named KandyKorn to target blockchain engineers of a cryptocurrency exchange platform.

The attack

By impersonating blockchain engineering community members on Discord, the attackers used social engineering techniques to make victims download a malicious ZIP file.

The victims believe they are installing an arbitrage bot, i.e., crypto trading software, but they end up downloading a Python file (Main.py), which downloads and executes Watcher.py, which is used for staging the system for further downloads. Watcher.py downloads and executes several intermediate dropper Python scripts, which fetch an obfuscated binary named Sugarloader from a Google Drive URL.

Another loader (Hloader), posing as the legitimate Discord app, is used as a persistence mechanism and to load Sugarloader. Sugarloader establishes the connection to a C2 server to download and execute the KandyKorn malware directly into memory.

KandyKorn execution flow. (Source: Elastic Security Labs)

The macOS KandyKorn malware

“Once communication is established, KandyKorn awaits commands from the server. This is an interesting characteristic in that the malware waits for commands instead of polling for commands. This would reduce the number of endpoint and network artifacts generated and provide a way to limit potential discovery,” Elastic Security Labs researchers explained.

KandyKorn is a remote access trojan (RAT) capable of performing encrypted C2 communications, enumerating systems, uploading and executing additional malicious payloads, compressing and exfiltrating data, and more.

“Elastic traced this campaign to April 2023 through the RC4 key used to encrypt the Sugarloader and KandyKorn C2. This threat is still active and the tools and techniques are being continuously developed,” the researchers said.

Cryptocurrency companies under attack

The researchers attributed this activity to North Korean hackers (i.e., the Lazarus Group) based on the techniques, network infrastructure, and code-signing certificates used in the campaign, and custom Lazarus Group detection rules.

In recent years, North Korean hackers have shown a growing interest in targeting cryptocurrency companies.

These cyberattacks pose a significant threat to the digital assets and security of the cryptocurrency industry as North Korea seeks to bypass international sanctions and generate revenue for the internationally politically isolated state.

UPDATE (November 9, 2023, 04:45 a.m. ET):

Jamf Threat Labs researchers have analyzed another macOS malware attributed to a North Korea-backed ATP group that has been seen commonly targeting cryptocurrency exchanges, venture capital firms and banks.

The malware communicates with the domain swissborg[.]blog, which resembles a legitimate domain belonging to a cryptocurrency exchange (swissborg.com), more specifically their blog URL (swissborg.com/blog).

By using social engineering techniques they contacted the victims to offer them partnership opportunities or “something beneficial under the guise of an investor or head hunter”.

“The malware is written in Objective-C and operates as a very simple remote shell that executes shell commands sent from the attacker server. Although it is not entirely clear how initial access was achieved, this malware is likely being used as a later stage to manually run commands after compromising a system,” Jamf Threat Labs researchers noted.