Hackers believed to be connected to North Korea are reportedly utilizing a novel macOS malware called KandyKorn to target cryptocurrency exchange platforms through their engineers.
Malicious actors linked to the notorious cybercriminal group Lazarus Group, purportedly operating on behalf of North Korea, are impersonating blockchain engineers on Discord using social engineering techniques. Victims are led to download a malicious ZIP file, as reported by cybersecurity firm Elastic Security Labs.
The victims, convinced that they were installing an arbitrage bot – a software tool designed to profit from cryptocurrency rate differences between platforms – actually ended up downloading a Python file that eventually downloads and executes Watcher.py.
“This execution initiated the primary malware execution flow of the REF7001 intrusion, ultimately culminating in KANDYKORN,” according to Elastic.
The macOS malware KandyKorn is a remote access trojan (RAT) and a backdoor capable of retrieving data, executing directory listings, secure deletion, and file upload/download, among other functions.
“Once communication is established, KandyKorn awaits commands from the server. This is an interesting characteristic because the malware waits for commands rather than polling for them. This reduces the number of endpoint and network artifacts generated and provides a way to limit potential discovery,” explained researchers at Elastic.
This campaign may have begun in April 2023, using the RC4 key to encrypt KandyKorn C2 and Sugarloader (an obfuscated binary), and it remains active with tools and techniques continuously being developed.
The latest report underscores that macOS remains a target for the Lazarus Group, demonstrating their ability to develop complex and stealthy malware aimed at Apple users.
It also highlights that the cryptocurrency industry remains the primary target of Lazarus.
Since 2011, crypto hacks have cost the industry $12.36 billion, with 30.74% of this amount stemming from 192 cryptocurrency exchanges that collectively lost $3.8 billion to cybercriminals, according to data from a report by the independent think tank The Money Mongers.
The report reveals that 297 crypto hacks occurred in this year alone and emphasizes that the industry loses $216,000 every hour.
“The research findings, which reveal a cumulative loss of $12.36 billion since 2011 and $1.89 billion in 2023 alone, underscore the urgent need for enhanced security in the cryptocurrency domain,” said The Money Mongers CEO Sudhir Khatwani in an interview with the International Business Times.
The report highlighted that 297 crypto hacks were executed this year alone and underlined that the industry loses $216,000 every hour.
Chainalysis reported that 2022 was considered the worst year for crypto businesses, with the industry suffering $3.8 billion in losses from crypto hacking.
Additionally, the previous year witnessed the notorious cybercriminal group Lazarus breaking its own records for theft. The North Korean government-backed actors stole an astounding $1.7 billion in cryptocurrency assets across multiple hacks attributed to their name.