This time, the target of North Korean hackers, suspected to be associated with Lazarus Group, were Blockchain engineers on cryptocurrency exchange platforms. Hackers are using a new macOS malware called Kandykorn for this.
Cryptocurrency security experts detected and analyzed the exploit
This attack, tracked by Elastic Security Labs as REF7001, uses a combination of proprietary and open source capabilities to gain initial access and subsequent infiltration of macOS systems. The attack began when attackers impersonated members of the Blockchain engineering community on a public Discord server and persuaded victims to download and open a ZIP archive containing malicious code, security experts said in an advisory published today. Victims believe they have installed an arbitrage bot to profit from cryptocurrency exchange rate differences. The execution flow of REF7001 consists of five stages:
- First Compromise: Hackers camouflage a Python application called Watcher.py as an arbitrage bot. Then, it distributes it in a .zip file titled “Cross-Platform Bridges.zip”.
- Dropper: TestSpeed.py and FinderTools are used as intermediate scripts to download and run Sugarloader.
- Payload: They use the secret duo Sugarloader as the loader for the initial reach and the final stage, Kandykorn.
- Loader: A ‘payload’ masquerading as a legitimate Discord app, Hloader is used as a persistence mechanism to load Sugarloader.
- Payload: The final stage of intrusion, Kandykorn, comes into play. Thus, it provides a full-featured set of capabilities for data access and exfiltration. In this way, they reach the users of cryptocurrency exchange platforms.
What does the Elliptic report say?
Elliptic, a Blockchain security firm, stated that the Lazarus group stole $240 Million in cryptocurrencies in the last 104 days through major hacks such as Atomic Wallet, CoinsPaid, Alphapo and Stake(dot)com. He noted that mostly, crypto mixers are used by hackers to hide the source and destination of stolen funds. Axie Infinity’s Ronin Bridge and Harmony’s Horizon Bridge were the two infamous hacks of 2022 that were linked to Lazarus. cryptokoin.comAs you follow from , both attacks took place in the first half of the year. Until June, Lazarus had not been publicly linked to any significant crypto heists.
Hackers managed to bypass the firewall of cryptocurrency payment company CoinsPaid. In this attack, hackers stole $37.3 million in assets. According to the findings, the hacker monitored and examined CoinsPaid’s systems for six months. Ultimately, he tried a variety of tactics to gain access, including phishing, social engineering, and brute force. Such attacks negatively impact adoption, slowing down the growth of the industry. Therefore, all countries with significant adoption of cryptocurrencies need to increase their efforts to develop strong and fair legal frameworks for the adoption of this space to establish its legitimacy.
To be informed about the latest developments, follow us twitter‘in, Facebookin and InstagramFollow on and Telegram And YouTube Join our channel!