Crypto News: North Korean Hackers Hit Apple and Crypto with macOS Malware

Cybersecurity Alert: macOS Malware “KandyKorn” in Circulation
Ingenious Social Engineering Tactics
Watcher.py: The Trigger for KandyKorn
Capabilities of the KandyKorn RAT
Stealthy Communication Tactics
Ongoing Threat Activity Since April 2023
Rising Concerns Over Cryptocurrency Exchange Security
A Yearly Snapshot of Crypto Hacks
Record-Breaking Thefts by the Lazarus Group
Enhanced Security Measures: A Call to Action
Top Recommended Articles

Cybersecurity Alert: macOS Malware “KandyKorn” in Circulation

North Korean hacking entities, believed to be associated with the well-known Lazarus Group, have been actively targeting cryptocurrency exchanges, deploying a new strain of macOS malware known as KandyKorn. The attackers have been reported to impersonate blockchain engineers on popular platforms like Discord to lure their victims.

Elastic Security Labs, a cybersecurity research firm, has uncovered that these cybercriminals use advanced social engineering tactics. They trick unsuspecting victims into downloading a ZIP file containing the malware, disguised as a cryptocurrency arbitrage bot, a tool designed to take advantage of price differences between exchanges.

The DPRK was so excited about Halloween, they got a head start on passing out candy. Check out REF7001, AKA KANDYKORN – a malware distributed in cryptocurrency servers on Discord: https://t.co/ZJ1r92Yhvf #malware #threatdiscovery #cryptocurrency #discord #ElasticSecurityLabs
— Elastic Security Labs (@elasticseclabs) October 31, 2023

Watcher.py: The Trigger for KandyKorn

The initial infection starts with the victim downloading a Python file, which subsequently downloads and executes Watcher.py. This script is the gateway to the infection chain known as REF7001, leading to the execution of the KandyKorn malware.

Capabilities of the KandyKorn RAT

KandyKorn operates as a remote access trojan (RAT) and a backdoor. It boasts a variety of malicious capabilities, including data exfiltration, executing directory listings, secure file deletion, and managing file uploads and downloads.

Stealthy Communication Tactics

The Elastic researchers noted that KandyKorn stands out for its communication protocol with its command-and-control (C2) server. The malware awaits commands rather than continuously polling for them, which reduces its footprint and chances of being detected.

Ongoing Threat Activity Since April 2023

The malware campaign is believed to have commenced in April 2023 and remains active. The cybercriminals continue to refine their tools and techniques, with RC4 key encryption for KandyKorn C2 and Sugarloader being the latest developments.

Rising Concerns Over Cryptocurrency Exchange Security

This latest attack vector reiterates that macOS users are not immune to sophisticated malware campaigns, especially in the lucrative cryptocurrency sector. The Money Mongers, an independent think tank, has reported significant losses in the crypto industry due to such cyber attacks, with a staggering $12.36 billion lost since 2011.

A Yearly Snapshot of Crypto Hacks

According to their data, 297 crypto-related hacking incidents have occurred this year alone, translating to an industry loss of approximately $216,000 every hour. Chainalysis’s reports highlight 2022 as the most detrimental year for crypto businesses, with losses summing up to $3.8 billion due to hacks.

Record-Breaking Thefts by the Lazarus Group

Notably, the Lazarus Group, reputedly backed by the North Korean government, has been implicated in the theft of an extraordinary $1.7 billion in cryptocurrencies across various hacking operations, setting a new record for the group’s criminal activities.

Enhanced Security Measures: A Call to Action

The findings by The Money Mongers underscore an urgent call for fortified security measures within the cryptocurrency domain. As the threat landscape evolves, so too must the industry’s defense mechanisms to safeguard against these increasingly sophisticated cyber threats.

For the Latest Crypto News follow the Coinography and Subscribe our YouTube channel or follow us on social media platforms like Twitter, Facebook, Instagram and LinkedIn.