A new MacOS malware, known as KandyKorn and linked to the notorious Lazarus Group, has recently been identified. The malware was discovered by the Elastic Security Labs.
Social Engineering Tactics
According to an official report published by the blockchain security firm, KandyKorn relies on social engineering tactics, deceiving victims into installing a malicious ZIP file named “Cross-platform Bridges.zip.” On the outside, this ZIP file appears to be an arbitrage artificial intelligence (AI) bot designed to assist users in generating yield automatically. Meanwhile, on the inside, the malicious file downloads 13 Python-based modules that collaborate to retrieve user data and information illicitly.
“On the outside, this ZIP file appears to be an arbitrage artificial intelligence (AI) bot designed to assist users in generating yield automatically.”
– Blockchain Security Firm
Operating Clandestinely
Providing context on how efficient this virus is, the Elastic Security Labs noted that it operates clandestinely, and users are often unaware of events unfolding behind the scenes. This malware then accesses an affected computer’s directory listing, uploads and downloads files automatically, deletes, processes termination, and executes commands.
“…it operates clandestinely, and users are often unaware of events unfolding behind the scenes.”
– Elastic Security Labs
Execution Flow Hijacking
To achieve its goals, the KandyKorn malware deploys a technique called execution flow hijacking, which allows it to persistently bombard the targeted device. This technique is unusual and has raised concerns about the potential impact of the malware on Mac and iOS devices.
Favored Malware of Lazarus Group
KandyKorn is now a favored malware by the Lazarus Group, according to the report by Elastic Security Labs. The anonymous group of hackers linked with the Democratic People’s Republic of North Korea (DPKR) has taken a strong interest in the crypto space in the last couple of years. So far, the Lazarus Group has stolen more than a billion dollars from the nascent industry and has relied on cryptocurrency mixing platforms to harvest their illicit gains. KandyKorn’s growing presence further highlights the growing level of sophisticated tools these hacking groups now rely on to siphon investors’ digital funds.
Increase in Malware Incidents
However, KandyKorn has not been the only actor in a vast ecosystem of viruses. The popular Telegram bot, Unibot, was also exploited upwards of $560,000 a few days earlier. According to a tweet by Scopescan on X (formerly Twitter), the exploiter traded regular meme coins from Unibot users for the Ether token.
Lazarus Group’s Activities Beyond Crypto
In recent months, global attention has been firmly fixed on the cryptocurrency sector. The primary concern revolves around the ease with which certain groups can employ advanced tools to move funds illicitly with little detection. While various hacking groups operate in this landscape, the Lazarus Group has earned notoriety as one of the most prominent state-sponsored cyber threat groups within the crypto space. However, their activities extend beyond the crypto space, as they have recently turned their attention to software companies. The Kaspersky team recently unveiled a series of cyber attacks by the Lazarus Group. According to a report, the cyber threat group created legitimate software designed to encrypt web communications using digital signatures from the computer networks of organizations. This enables them to retrieve data, break through firewalls, and upload or download required files and systems.