A macOS malware called KANDYKORN has been used by state-sponsored threat actors from the Democratic People's Republic of Korea (DPRK) to target blockchain engineers of unnamed crypto exchanges using Discord. In April 2023, Elastic Security Labs found links between this activity and the Lazarus Group. Threat actors enticed blockchain engineers with a Python application to gain initial access. This intrusion involved multiple stages with defense evasion techniques. What sets this campaign apart is the attackers' impersonation of blockchain engineers on a public Discord server, employing social engineering to trick victims into downloading a ZIP archive with malicious code. KANDYKORN is an advanced implant with reflective loading, allowing it to evade detection. It starts with a Python script (watcher.py) that retrieves another Python script (testSpeed.py) hosted on Google Drive. This dropper fetches another Python file from Google Drive called Finder Tools. Finder Tools functions as a dropper, downloading and executing a hidden second stage payload, SUGARLOADER, which connects to a remote server to retrieve and execute KANDYKORN in memory. SUGARLOADER also launches a Swift-based self-signed binary named HLOADER, mimicking the legitimate Discord application, achieving persistence through execution flow hijacking. KANDYKORN, the final payload, is a memory resident RAT with capabilities to enumerate files, run malware, exfiltrate data, terminate processes, and run arbitrary commands. The DPRK, particularly the Lazarus Group, continues to target crypto-industry businesses to steal cryptocurrency, circumventing international sanctions hindering their economic growth and ambitions.
The Toronto District School Board (TDSB) has issued a warning following a ransomware attack on its software testing environment, with ongoing investigations to assess potential exp...
ESET researcher Lukáš Štefanko reported on June 13, 2024, that Arid Viper, a suspected Hamas-affiliated group also known as APT-C-23 and Desert Falcon, has been conducting a mob...
Truist Bank, a prominent U.S. commercial bank formed after the merger of SunTrust Banks and BB&T in December 2019, acknowledged a cyberattack in October 2023 after a threat actor k...