A new report from Elastic Security Labs has shed light on the Lazarus Group's attempt to compromise cryptocurrency exchanges using a novel type of malware, which Elastic has named "Kandykorn." Additionally, they've dubbed the loader that deploys this malware into memory as "Sugarload" due to a unique ".sld" extension in its name. While Elastic didn't reveal the specific exchange targeted, the Lazarus Group has been implicated in a series of private key hacks on cryptocurrency exchanges in 2023.
The attack initiated with Lazarus members posing as blockchain engineers and engaging in conversations with engineers from an undisclosed cryptocurrency exchange through Discord. They claimed to have developed a profitable arbitrage bot capable of exploiting differences in cryptocurrency prices across exchanges. The unsuspecting engineer was persuaded to download the so-called "bot," which included files with deceptive names like "config.py" and "pricetable.py" to mimic an arbitrage bot.
Once executed, the program ran a "Main.py" file that initiated both legitimate and malicious processes, including a file known as "Watcher.py." This malicious component established a connection with a remote Google Drive account, downloading content into another file named "testSpeed.py." The program ran testSpeed.py once and then deleted it to conceal its activities.
During a single execution of testSpeed.py, the program downloaded additional content and eventually deployed a file that Elastic referred to as "Sugarloader." Sugarloader was concealed using a "binary packer," enabling it to evade detection by most malware identification systems. However, Elastic researchers uncovered it by forcing the program to halt after the initialization process and taking a snapshot of the process's virtual memory.
Elastic conducted a VirusTotal malware scan on Sugarloader, but the detector did not flag it as malicious. Once Sugarloader infiltrates a device, it connects to a remote server and directly loads Kandykorn into the device's memory. Kandykorn contains various features that can be exploited by remote servers for malicious purposes, such as listing directory contents on the victim's machine or transferring the victim's files to the attacker's machine.
Elastic believes the attack took place in April 2023, emphasizing that the threat remains active and continually evolves in terms of tools and techniques. Centralized cryptocurrency exchanges and applications have faced a wave of attacks in 2023, with several platforms being targeted. These attacks often involve the theft of private keys from victims' devices and the unauthorized transfer of customers' cryptocurrencies to the attackers' addresses. The FBI has accused the Lazarus Group of being responsible for the Coinex hack and the Stake attack.
