Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,556
- Points
- 113
Why do North Korean groups need cryptocurrency and is Lazarus involved in this campaign?
In recent weeks, the activity of North Korean hackers has escalated. As Elastic Security Labs specialists found out, the new cyber threat is associated with a sophisticated malware called KANDYKORN, which is aimed at macOS users in the cryptocurrency industry. The Discord messenger is used to distribute the program. Attackers under the guise of blockchain developers offer victims tools that allegedly allow them to profit from arbitrage operations with cryptocurrency.
Experts attribute the latest campaign, which began in April 2023, to the actions of the well — known hacker group Lazarus-the attack methods and network infrastructure are very similar to their handwriting.
The victim is asked to download a ZIP archive with embedded malicious code. The user believes that he is downloading an application for cryptocurrency trading, but in fact the program is needed so that hackers can gain initial access to the system.
"The attack is implemented in a series of complex steps, each of which involves specialized methods to bypass security systems," researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease explain in their report.
This year, hackers from the Lazarus group have already attacked macOS users through infected PDF files. When the victim opened the document, a hidden threat was activated on the computer-the RustBucket backdoor written in AppleScript. It, in turn, quietly loaded other malicious components from an external server.
KANDYKORN runs directly in the RAM of macOS-based devices. This spy program can not only collect information from an infected computer, but also launch new malicious operations, interrupt individual applications, and execute various malicious commands as needed.
The main difficulty of the attack lies in the use of a chain of droppers-intermediate links that facilitate the installation of the main software. The process starts with a Python script watcher.py -it is contained in the original ZIP archive and acts as the first dropper. Then the second script is loaded. testSpeed.py, from Google Drive cloud storage. It opens the path for downloading FinderTools, another component also located on Google Drive.
FinderTools activates SUGARLOADER — a hidden auxiliary module that disguises itself as system files in the /Users/shared/.sld and log directories. This component completes the system preparation for infection and creates favorable conditions for implementing the main code, bypassing standard antivirus solutions.
Only then is a connection established with the remote server for downloading KANDYKORN and executing it in the computer's memory.
To hide its activity, the malware uses HLOADER, a specially constructed file written in the Swift programming language. At first glance, it doesn't look any different from a regular Discord app. Its main task is to capture the flow of execution." This means that HLOADER is integrated into the process of running regular, legitimate programs, while remaining invisible to the user.
It is assumed that the main goal of politically motivated hackers from North Korea, including Lazarus, is to access and steal cryptocurrency assets in order to overcome economic sanctions.
Researchers continue to monitor the activity of intruders in order to develop effective methods to combat the threat.
In recent weeks, the activity of North Korean hackers has escalated. As Elastic Security Labs specialists found out, the new cyber threat is associated with a sophisticated malware called KANDYKORN, which is aimed at macOS users in the cryptocurrency industry. The Discord messenger is used to distribute the program. Attackers under the guise of blockchain developers offer victims tools that allegedly allow them to profit from arbitrage operations with cryptocurrency.
Experts attribute the latest campaign, which began in April 2023, to the actions of the well — known hacker group Lazarus-the attack methods and network infrastructure are very similar to their handwriting.
The victim is asked to download a ZIP archive with embedded malicious code. The user believes that he is downloading an application for cryptocurrency trading, but in fact the program is needed so that hackers can gain initial access to the system.
"The attack is implemented in a series of complex steps, each of which involves specialized methods to bypass security systems," researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease explain in their report.
This year, hackers from the Lazarus group have already attacked macOS users through infected PDF files. When the victim opened the document, a hidden threat was activated on the computer-the RustBucket backdoor written in AppleScript. It, in turn, quietly loaded other malicious components from an external server.
KANDYKORN runs directly in the RAM of macOS-based devices. This spy program can not only collect information from an infected computer, but also launch new malicious operations, interrupt individual applications, and execute various malicious commands as needed.
The main difficulty of the attack lies in the use of a chain of droppers-intermediate links that facilitate the installation of the main software. The process starts with a Python script watcher.py -it is contained in the original ZIP archive and acts as the first dropper. Then the second script is loaded. testSpeed.py, from Google Drive cloud storage. It opens the path for downloading FinderTools, another component also located on Google Drive.
FinderTools activates SUGARLOADER — a hidden auxiliary module that disguises itself as system files in the /Users/shared/.sld and log directories. This component completes the system preparation for infection and creates favorable conditions for implementing the main code, bypassing standard antivirus solutions.
Only then is a connection established with the remote server for downloading KANDYKORN and executing it in the computer's memory.
To hide its activity, the malware uses HLOADER, a specially constructed file written in the Swift programming language. At first glance, it doesn't look any different from a regular Discord app. Its main task is to capture the flow of execution." This means that HLOADER is integrated into the process of running regular, legitimate programs, while remaining invisible to the user.
It is assumed that the main goal of politically motivated hackers from North Korea, including Lazarus, is to access and steal cryptocurrency assets in order to overcome economic sanctions.
Researchers continue to monitor the activity of intruders in order to develop effective methods to combat the threat.
