Northern Korean hackers probably associated with the Lazarus group were observed on blockchain reasons involved in Cryptocurrency -exchange platforms with a new macOS malware called Kandykorn.
This burglary, followed as Ref7001 by elastic security laboratories, used a combination of adapted and open source options to get initial access and post-exploitation on macOS systems.
Writing in an advice published today, the security experts said that the burglary started when attackers were the members of the blockchain engineering community on a public discord server intensive, and convincing victims to download and decomprimate a ziparchief with malignant code. The victim believed that they installed an arbitrationbot to take advantage of the differences in cryptocurrency.
The implementation flow of REF7001 included five phases:
-
First compromise: a Python application called Watcher.py was camouflaged as an arbitration bone and was distributed in a .zip file entitled “Cross platform bridges.zip.”
-
Dropper: Testspeed.py and FinderTools were used as intermediate drops to download and perform Sugar loader.
-
Payload: Sugar loader, a darkened binary number, was used for initial access and as a charger for the final phase, Kandykorn.
-
Loader: Hloadader, a load that occurs as the legitimate transport application, was used as a persistence mechanism for loading Sugar loader.
-
Payload: Kandykorn, the final phase of the burglary, offered a full set of options for data access and exfiltration.
The Kandykorn malware communicates with a command-and-control (C2) server using encrypted RC4 and uses a unique handshake mechanism, waiting for assignments instead of polling for them. The elastic report describes various assignments that Kandykorn can perform, including uploading and downloading files, process manipulation and implementation of random system assignments.
Read more about similar malware: Alloy Taurus Hackers Update PingPull Malware to target Linux systems
The elastic team emphasized the use of reflective binary loads, a memory-in-play form of implementation that can bypass traditional detection methods. This type of filess execution was more witnessed by the Lazarus group, with a focus on stealing cryptocurrency to bypass international sanctions.
The technical description offers extensive technical details, including EQL questions for yacht and detection, as well as insights into the infrastructure of the malware and the diamond model used to describe the relationships of the burglary.