A cryptocurrency exchange became a preferred target for the infamous North Korean hacker group, Lazarus Group, as they employed a novel malware named Kandykorn for their malicious activities.
Elastic Security Labs made a report on October 31, revealing that the infamous Lazarus Group aimed to breach a cryptocurrency exchange using a fresh strain of malicious software (malware), named Kandykorn.
After analyzing network infrastructure and techniques used, Elastic Security Labs has identified striking resemblances between the recent cyber activity, spanning from April 2023 onwards, and the notorious Lazarus Group.
Elastic reports that the unknown individuals who launched the attack adopted the personas of blockchain specialists and specifically aimed at engineers affiliated with an undisclosed cryptocurrency exchange within a public Discord server.
The engineers were enticed by the promise of a lucrative arbitrage bot capable of capitalizing on cryptocurrency price disparities across different exchanges. To acquire this intriguing bot, they willingly downloaded it, unaware that it cleverly masqueraded as harmless arbitrage tools named config.py and pricetable.py.
Complex Five-Stage Process Deploys ‘KANDYKORN’ Advanced Malware with Reflective Loading
Elastic Security Labs recently disclosed a groundbreaking revelation—KANDYKORN, an ingeniously crafted surveillance tool engineered to skillfully elude detection while proficiently monitoring and interacting. The deployment of this remarkable implant entails an intricately choreographed five-step procedure, meticulously highlighting its impressive range of capabilities.
The commencement of the attack chain occurs when the Python script watcher.py is executed. This script is stored in a file named Main.py. Within Main.py, there are two malicious files, and watcher.py is one of them. It creates a connection to a remote Google Drive account and starts downloading content into a file named testSpeed.py. Once testSpeed.py is executed, it is immediately deleted to ensure no traces are left behind.
Throughout this concise process, further data is acquired. TestSpeed.py acts as a dispenser, retrieving an alternate Python file with the title FinderTools from a designated Google Drive link. Serving as an additional dispenser, FinderTools proceeds to download and put into action a hidden secondary payload, appropriately labeled as SUGARLOADER.
SUGARLOADER cleverly evades malware detection programs by utilizing a technique called binary packing to conceal its existence. Despite this challenge, Elastic Security Labs successfully uncovered SUGARLOADER by intercepting the program’s post-initialization functions and thoroughly examining the virtual memory.
Once initialized, SUGARLOADER initiates a linkage with a distant server, acquiring the ultimate-level ammunition, KANDYKORN. This ammunition is directly initiated within the core memory. Moreover, SUGARLOADER commences the launch of HLOADER, a self-certified binary created in the Swift programming language, cunningly posing as the authentic Discord application. It accomplishes lasting presence by exploiting a tactic recognized as execution flow interception.
KANDYKORN, a mighty Remote Access Trojan (RAT), represents an immensely powerful payload with a range of functionalities at its disposal. These functionalities include searching and categorizing files, launching other harmful software, secretly extracting sensitive data from compromised systems, forcefully terminating processes, and executing any desired commands.
KANDYKORN provides the remote server with various functions that can be exploited for nefarious purposes. These functions include listing the contents of directories and effortlessly transferring files from the victim’s system to the attacker’s system. Detecting this advanced implant underscores the ever-changing realm of cyber threats and emphasizes the significance of implementing strong security measures.
Cyberattacks by Lazarus Group Result in Millions Stolen from Crypto Exchanges via Private-Key Hacks in 2023
In the year 2023, an alarming surge of private-key thefts has plagued the world of cryptocurrency trading. Investigations have uncovered a common thread leading back to the notorious Lazarus Group, a cybercrime organization hailing from North Korea. This relentless group has played a pivotal role in multiple high-profile crypto heists, amounting to staggering sums reaching millions of dollars. Notably, their most brazen exploit resulted in a devastating loss of over $40 million for the popular sports betting platform, Stake.com.
Lazarus, the notorious cyber threat group, has reportedly caused a massive loss of approximately $240 million in cryptocurrencies over the past few months, as per the findings of blockchain surveillance company, Elliptic. Their cunning operations targeted various platforms, including Atomic Wallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), CoinEx ($54 million), and Stake.com ($41 million), cleverly extracting valuable crypto assets.
The Coinex hack, along with the Stake attack and various others, has been attributed to the Lazarus Group by the United States Federal Bureau of Investigation.
A recent study by 21. co, a provider of institutional crypto platforms, reveals that Lazarus Group-affiliated wallets possess approximately 1,600 Bitcoin, 10,810 Ether, and 64,490 Binance Coins.
Frequently Asked Questions:
Unveiling the enigmatic Lazarus Group: exploring their role in the latest occurrence?
The notorious Lazarus Group arises as a state-backed group of cyber hackers hailing from North Korea. Exhibiting their deceptive prowess, they deployed an innovative malware named Kandykorn to direct their attack toward a vulnerable cryptocurrency exchange.
From whence did the notification of this incident originate and at what point in time was its discovery discerned?
On Halloween day, precisely on October 31, 2023, Elastic Security Labs alerted the world about the occurrence of an attack.
By what means did the assailants manage to infiltrate the engineers of the digital currency exchange?
In a clever ruse, the assailants assumed the guise of blockchain experts within a widely accessible Discord server. Craftily, they managed to persuade the exchange’s engineers to acquire a malevolent arbitrage bot cunningly camouflaged as an authentic utility.
Could you kindly explain the operational procedure involved in the propagation of the Kandykorn malware?
The intricate process of implementing Kandykorn encompasses five stages, which encompass the running of Python scripts, utilization of a binary packer, and establishing a link with a distant server.
What does the Kandykorn malware have the ability to do?
Kandykorn, a Remote Access Trojan (RAT), possesses a range of abilities such as scanning files, launching further malware, extracting data, terminating processes, and executing any user-defined commands.
In the year 2023, what is the estimated amount of cryptocurrency that Lazarus Group has been associated with pilfering?
Since June 2023, a string of high-profile heists against various cryptocurrency exchanges, including Atomic Wallet, CoinsPaid, Alphapo, CoinEx, and Stake.com, has resulted in Lazarus Group pilfering approximately $240 million worth of digital currencies.
Has the Federal Bureau of Investigation (FBI) filed any charges against the Lazarus Group?
The alleged culprits responsible for the Coinex hack, the Stake attack, and various other cryptocurrency-related incidents have been charged by the FBI, pointing fingers at none other than the Lazarus Group.
Which cryptocurrencies are linked to wallets affiliated with Lazarus Group?
As per a report by 21. co, the wallets affiliated with the Lazarus Group reportedly possess approximately 1,600 Bitcoin, 10,810 Ether, and 64,490 Binance Coins in total.