A new strain of malware named "KandyKorn" has been discovered on Apple's macOS, and it is believed to be connected to the North Korean hacking group known as Lazarus. This malware is reportedly targeting blockchain engineers at a cryptocurrency trading platform. According to analysis conducted by Elastic Security Labs, KandyKorn is a stealth backdoor capable of a range of malicious activities such as data retrieval, directory listing, file upload/download, secure deletion, process termination, and command execution.
The attackers initially distributed this macOS malware through Discord channels, where they posed as community members. They used a social engineering attack to deceive community members into downloading a malicious ZIP archive labeled "Cross-Platform Bridges.zip." The file was disguised as an arbitrage bot designed for automated monetization. However, the ZIP archive imported 13 malicious modules that worked in concert to steal and manipulate information. One noteworthy aspect of this attack was the use of a technique called "execution stream hijacking" to achieve persistence on macOS, which had not been seen before.
The Lazarus hacking group, which is believed to originate from North Korea, primarily targets the cryptocurrency industry with a focus on financial gain rather than espionage. The presence of KandyKorn on macOS highlights the group's ability to develop sophisticated and discreet malware tailored for Apple computers.
This discovery underscores the ongoing threats to the cryptocurrency industry, and the need for heightened security measures to protect against malicious attacks. A recent breach in Unibot, a popular Telegram bot used for sniping transactions on decentralized exchange Uniswap, resulted in a 40% drop in the token price in just one hour. Blockchain analytics firm Scopescan issued a warning to Unibot users about the ongoing hack, which was later confirmed by official sources. Unibot pledged to compensate all users who suffered financial losses due to contract vulnerabilities.
