North Korean Cybercriminals Stage Advanced Assault on macOS Crypto Experts via Kandykorn Malware

The infamous Lazarus Group, believed to have ties to North Korea, has executed a bold attack on macOS crypto engineers. Their weapon of choice is Kandykorn, a sophisticated malware that has caught the attention of cybersecurity experts worldwide. Elastic Security Labs closely monitored the intrusion under the codename REF7001 and has released a detailed technical analysis that sheds light on the tactics used by the Lazarus Group.

Disguised as an arbitrage bot, Kandykorn lured unsuspecting victims into downloading and opening a seemingly harmless ZIP archive. Once activated, the malware went through a five-stage execution flow, allowing it to avoid detection and infiltrate the targeted system undetected.

One of Kandykorn’s notable features is its ability to communicate with a command-and-control (C2) server through encrypted RC4. This secure transmission grants the hackers complete control over the compromised system, giving them access to data, the ability to manipulate data, and execute system commands at will.

To gain initial access, the Lazarus Group used a Python application called, which acted as a gateway for compromise. They also deceptively disguised a loader named Hloader as the legitimate Discord application, taking advantage of users’ trust in popular software platforms. Reflective binary loading, a type of memory-resident execution, was used to further hide their activities.

Impersonation played a crucial role in the attack as the Lazarus Group posed as members of the blockchain engineering community on a public Discord server. This tactic gave credibility to their schemes and increased the likelihood of victims falling into their trap. By skillfully using custom and open-source capabilities, the hackers successfully breached macOS systems, putting crypto engineers at risk.

The Lazarus Group’s focus on cryptocurrency theft aligns with their strategy of evading international sanctions. By targeting individuals involved in the crypto space, they aim to exploit the popularity of digital currencies for financial gain. This attack emphasizes the need for enhanced security measures and increased vigilance in the cryptocurrency industry.

Elastic Security Labs’ technical analysis includes carefully crafted EQL queries for hunting and detection, providing cybersecurity professionals with valuable insights to identify and mitigate similar threats. These queries can aid in the development of strong defense strategies.

Although Kandykorn does not actively seek out commands, relying instead on instructions from the C2 server, this passive approach adds another layer of stealth to the malware’s operations, making detection more challenging.

Another payload used by the Lazarus Group was Sugarloader, an obfuscated binary designed for initial access. By using multiple delivery and execution methods, the hackers ensured their presence remained hidden from unsuspecting victims.

The persistent attacks by the Lazarus Group on macOS systems, along with their use of sophisticated malware like Kandykorn, highlight the need for continuous advancements in cybersecurity defenses. As cryptocurrencies gain popularity, the associated risks must be mitigated with strong security measures.

In conclusion, the audacious targeting of macOS crypto engineers by the Lazarus Group using the Kandykorn malware showcases the evolving tactics used by cybercriminals. Elastic Security Labs’ technical analysis provides crucial insights into the attack flow and detection techniques, reminding individuals and organizations to remain vigilant, implement robust security measures, and stay informed about emerging threats in the ever-changing landscape of cybersecurity.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.