Elastic Security Labs has discovered a sophisticated cyber intrusion by North Korean hackers who are thought to be connected to the Lazarus organization, according to CryptoPotato. A new macOS malware called Kandykorn was used in the event, which is registered under the reference number REF7001, to particularly target blockchain developers working on cryptocurrency exchange platforms. Atypical of macOS penetration techniques, the virus was disseminated via a private chat on a public Discord channel.
The virus known as Kandykorn begins communicating with a command-and-control (C2) server by using encrypted RC4 and employing a unique handshake protocol. It waits patiently for instructions, enabling hackers to covertly maintain control over the infiltrated systems. Elastic Security Labs has offered insightful information about Kandykorn’s capabilities, demonstrating its ability to upload and download files, manipulate processes, and carry out arbitrary system commands. Additionally, the malware makes use of reflected binary loading, a fileless execution method connected to the infamous Lazarus Group.
Strong evidence connects this attack to the North Korean Lazarus Group, including resemblances in tactics, network architecture, certificates used to certify malicious software, and unique approaches to identifying Lazarus Group activity. Connections between security lapses at Atomic Wallet, Alphapo, CoinsPaid, Stake.com, and CoinEx have been uncovered by on-chain transactions, further demonstrating the Lazarus Group’s involvement in these attacks. Strong cybersecurity procedures are essential to protect against these kinds of threats, according to Elastic Security Labs.