Cyber Trick or Treat: How North Korea’s Lazarus Group Sweetened their Hack Game with KANDYKORN Malware

Feeling sweet? The Lazarus Group’s KANDYKORN macOS Malware is a sour surprise! It’s the latest trick in their bag, targeting unsuspecting blockchain engineers with a Python app disguised as an arbitrage bot. This wolf in sheep’s clothing delivers a SUGARLOADER payload and a KANDYKORN trojan. Now that’s a bitter bite!

Hot Take:

Feeling sweet? North Korea’s Lazarus Group sure does with their new KANDYKORN macOS malware! It’s the latest addition to their trick-or-treat bag of nasty surprises. This time, the unsuspecting victims were crypto exchange’s blockchain engineers. The hackers posed as fellow engineers on Discord, distributing a Python app disguised as an arbitrage bot, a classic wolf in sheep’s clothing scenario. The result? A SUGARLOADER payload and a KANDYKORN trojan that could do everything from exfiltrating data to executing arbitrary commands. So much for the sweet treat!

Key Points:

  • North Korea’s Lazarus Group has been linked to a new type of macOS malware called KANDYKORN.
  • Blockchain engineers at a cryptocurrency exchange were targeted by the threat actors, who posed as engineers on Discord.
  • The attackers distributed a Python app disguised as an arbitrage bot, which led to the execution of a SUGARLOADER payload and the KANDYKORN remote access trojan.
  • KANDYKORN has capabilities for file enumeration, data exfiltration, additional malware execution, process termination, and arbitrary command execution.
  • The use of KANDYKORN comes after recent attacks involving updated FastViewer malware by North Korean threat cluster Kimsuky, also known as APT43.

Need to know more?

It's Not Just Candy, It's KANDYKORN

KANDYKORN is Lazarus Group's newest creation, an advanced implant with a variety of capabilities. It's not just a simple malware; it can monitor, interact with, and avoid detection. It also utilizes reflective loading, a direct-memory form of execution that may bypass detections. So much for sugar and spice and everything nice!

Imposters on Discord

Remember when your mom told you not to take candy from strangers? The same applies to Python apps from engineers on Discord. The attackers managed to spoof engineers and distribute a Python app under the guise of an arbitrage bot, leading to the deployment of the SUGARLOADER payload and the KANDYKORN trojan.

APT43 and the FastViewer

It appears the Lazarus Group is not alone in their efforts. The recent use of KANDYKORN comes shortly after North Korean threat cluster Kimsuky, also known as APT43, was reported using updated FastViewer malware in their attacks. It seems when it comes to cyber threats, North Korea is like a kid in a candy store.
Tags: APT43, Cryptocurrency Exchange Attack, KANDYKORN macOS Malware, Malware Execution, North Korea's Lazarus Group, Python Application Spoofing, SUGARLOADER Payload