'KandyKorn' macOS Malware Lures Crypto Engineers

Posing as fellow engineers, the North Korean state-sponsored cybercrime group Lazarus tricked crypto-exchange developers into downloading the hard-to-detect malware.

3 Min Read
Colorful candy corn on a blue background
Source: Brent Hofacker via Alamy Stock Photo

The infamous North Korean advanced persistent threat (APT) group Lazarus has developed a form of macOS malware called "KandyKorn," which it is using to target blockchain engineers connected to cryptocurrency exchanges.

According to a report from Elastic Security Labs, KandyKorn has a full-featured set of capabilities to detect, access, and steal any data from the victim's computer, including cryptocurrency services and applications.

To deliver it, Lazarus took a multistage approach involving a Python application masquerading as a cryptocurrency arbitrage bot (a software tool capable of profiting from the difference in cryptocurrency rates between cryptocurrency exchange platforms). The app featured misleading names, including "config.py" and "pricetable.py," and was distributed through a public Discord server.

The group then employed social engineering techniques to encourage its victims to download and unzip a zip archive into their development environments, purportedly containing the bot. In actuality, the file contained a prebuilt Python application with malicious code.

Victims of the attack believed they had installed an arbitrage bot, but launching the Python application initiated the execution of a multistep malware flow culminating in the deployment of the KandyKorn malicious tool, Elastic Security experts said.

KandyKorn Malware's Infection Routine

The attack begins with the execution of Main.py, which imports Watcher.py. This script checks the Python version, sets up local directories, and retrieves two scripts directly from Google Drive: TestSpeed.py and FinderTools.

These scripts are used to download and execute an obfuscated binary called Sugarloader, responsible for giving initial access to the machine and preparing the final stages of the malware, which also involve a tool called Hloader.

The threat team was able to trace the entire malware deployment path, drawing the conclusion that KandyKorn is the final stage of the execution chain.

KandyKorn processes then establish communication with the hackers' server, allowing it to branch out and run in the background.

The malware does not poll the device and installed applications but waits for direct commands from the hackers, according to the analysis, which reduces the number of endpoints and network artifacts created, thus limiting the possibility of detection.

The threat group also used reflective binary loading as an obfuscation technique, which helps the malware bypass most detection programs.

"Adversaries commonly use obfuscation techniques such as this to bypass traditional static signature-based antimalware capabilities," the report noted.

Cryptocurrency Exchanges Under Fire

Cryptocurrency exchanges have suffered a series of private key theft attacks in 2023, most of which have been attributed to the Lazarus group, which uses its ill-gotten gains to fund the North Korean regime. The FBI recently found the group had moved 1,580 bitcoins from multiple cryptocurrency heists, holding the funds in six different bitcoin addresses.

In September, attackers were discovered targeting 3D modelers and graphic designers with malicious versions of a legitimate Windows installer tool in a cryptocurrency-thieving campaign that's been ongoing since at least November 2021.

A month prior, researchers uncovered two related malware campaigns, dubbed CherryBlos and FakeTrade, which targeted Android users for cryptocurrency theft and other financially motivated scams.

Growing Threat From DPKR

An unprecedented collaboration by various APTs within the Democratic People's Republic of Korea (DPRK) makes them harder to track, setting the stage for aggressive, complex cyberattacks that demand strategic response efforts, a recent report from Mandiant warned.

For instance, the country's leader, Kim Jong Un, has a Swiss Army knife APT named Kimsuky, which continues to spread its tendrils around the world, indicating it's not intimidated by the researchers closing in. Kimsuky has gone through many iterations and evolutions, including an outright split into two subgroups.

Meanwhile, the Lazarus group appears to have added a complex and still evolving new backdoor to its malware arsenal, first spotted in a successful cyber compromise of a Spanish aerospace company.

About the Author

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights