A newly identified macOS malware called 'KandyKorn' has been discovered in a cyber campaign linked to the North Korean hacking group Lazarus. The targets of this attack are blockchain engineers associated with a cryptocurrency exchange platform.
The attackers are using Discord channels to pose as members of the cryptocurrency community and distribute Python-based modules. These modules initiate a complex KandyKorn infection process.
Elastic Security, the organization that uncovered the attack, has linked it to Lazarus based on similarities with their previous campaigns, including techniques used, network infrastructure, code-signing certificates, and custom detection methods for Lazarus activity.
The attack starts with social engineering on Discord, where victims are tricked into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip.' This archive contains a Python script ('Main.py') that imports 13 modules, triggering the first payload, 'Watcher.py.'
Watcher.py downloads and executes another Python script called 'testSpeed.py' and a file named 'FinderTools' from a Google Drive URL. FinderTools then fetches and runs an obfuscated binary named 'SugarLoader,' which appears as both .sld and .log Mach-O executables.
SugarLoader establishes a connection with a command and control server to load the final payload, KandyKorn, into memory.
In the final stage, a loader known as HLoader is used. It impersonates Discord and employs macOS binary code-signing techniques seen in previous Lazarus campaigns. HLoader ensures persistence for SugarLoader by manipulating the real Discord app on the compromised system.
KandyKorn serves as the advanced final-stage payload, allowing Lazarus to access and steal data from the infected computer. It operates discreetly in the background, awaiting commands from the command and control server, and takes steps to minimize its trace on the system.
KandyKorn supports a range of commands, including terminating processes, gathering system information, listing directory contents, uploading and exfiltrating files, securely deleting files, and executing system commands, among others.
The Lazarus group primarily targets the cryptocurrency sector for financial gain, rather than engaging in espionage. The presence of KandyKorn highlights that macOS systems are also vulnerable to Lazarus' attacks, showcasing the group's ability to create sophisticated and inconspicuous malware tailored for Apple computers.