Kandykorn Malware Linked to North Korean Hacker Group

Blockchain engineers from an undisclosed cryptocurrency exchange platform are being targeted by state-sponsored threat actors associated with the Democratic People's Republic of Korea through Discord. They are using a new macOS malware called KANDYKORN.

Elastic Security Labs reported that this activity, dating back to April 2023, shares similarities with the well-known adversarial group, Lazarus Group. These similarities were identified by analyzing the network infrastructure and techniques employed.

Security researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease revealed that the threat actors enticed blockchain engineers with a Python application to gain initial access to their systems. This intrusion consisted of multiple intricate stages, each utilizing deliberate techniques to avoid detection.

The Lazarus Group has previously employed macOS malware in its attacks. In a previous incident earlier this year, they distributed a tampered PDF application that ultimately led to the deployment of RustBucket, an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server.

What sets this new campaign apart is how the attackers impersonate blockchain engineers on a public Discord server. They use social engineering tactics to deceive victims into downloading and executing a ZIP archive containing malicious code.

The researchers explained that the victim believed they were installing an arbitrage bot, a software tool that could profit from cryptocurrency rate differences between platforms. However, in reality, this process paved the way for the delivery of KANDYKORN through a five-stage procedure.

Kandykorn's Internals

KANDYKORN is described as an advanced implant with multiple capabilities, including monitoring, interaction, and evading detection. It employs reflective loading, a direct-memory execution method that can bypass security detections.

The attack begins with a Python script (watcher.py), which retrieves another Python script (testSpeed.py) from Google Drive. This script acts as a dropper and fetches an additional Python file from a Google Drive URL, named FinderTools.

FinderTools, in turn, serves as a dropper, downloading and executing a hidden second-stage payload called SUGARLOADER (/Users/shared/.sld and .log). SUGARLOADER then connects to a remote server to retrieve KANDYKORN and execute it directly in memory.

SUGARLOADER is also responsible for launching a Swift-based self-signed binary known as HLOADER, which attempts to mimic the legitimate Discord application. It executes .log (i.e., SUGARLOADER) to achieve persistence using a technique called execution flow hijacking.

KANDYKORN, the final-stage payload, is a comprehensive memory resident Remote Access Trojan (RAT) with built-in capabilities for file enumeration, running additional malware, data exfiltration, process termination, and executing arbitrary commands.