A new strain of malware named “KandyKorn” has been discovered on Apple’s macOS, and it’s reportedly linked to the North Korean hacking group Lazarus.
This malware has specifically targeted blockchain engineers associated with a cryptocurrency exchange platform. KandyKorn is a stealthy backdoor that exhibits various malicious capabilities, including data retrieval, directory listing, file upload and download, secure deletion, process termination, and command execution, as detailed in an analysis by Elastic Security Labs.
The attackers behind this malware have employed a sophisticated approach. Initially, they spread Python-based modules via Discord channels, impersonating community members to lure unsuspecting victims. The social engineering tactics involve convincing community members to download a seemingly harmless ZIP archive named “Cross-platform Bridges.zip.” This file masquerades as an arbitrage bot designed for automated profit generation. However, once downloaded, it imports 13 malicious modules that collaborate to steal and manipulate information.
What sets this attack apart is the use of a technique known as “execution flow hijacking” to achieve persistence on macOS. This method was not previously observed in Lazarus’s tactics. It demonstrates the threat actor’s ability to adapt and evolve its tactics to infiltrate Apple computers.
Lazarus, a notorious hacking group, has consistently shown a keen interest in the cryptocurrency sector. While their motives extend beyond espionage, they primarily focus on financial gain. The existence of KandyKorn underscores that macOS is well within Lazarus’s targeting range. It highlights the group’s remarkable ability to craft sophisticated and inconspicuous malware tailored specifically for Apple’s operating system.
This discovery serves as a reminder of the constant need for vigilance and security measures in the cryptocurrency space, where hackers and malicious actors are always seeking vulnerabilities to exploit.
In a separate incident related to the cryptocurrency world, a recent exploit on Unibot, a popular Telegram bot used for trading on the decentralized exchange Uniswap, resulted in a significant price drop for the token. The exploit, described as a token approval vulnerability, caused a 40% decrease in the token’s price within a single hour. The blockchain analytics firm Scopescan alerted Unibot users to the ongoing hack, which was later confirmed by an official source. Unibot has taken responsibility for the issue and pledged to compensate all users who suffered losses due to the contract exploit.
ALSO READ
- Unibot exploit drains $560K, crashing token price by over 40%
- US, UK Intel Agencies Warn of New Crypto Malware Targeting Android Users