The North Korean hacking group Lazarus has targeted blockchain engineers of a cryptocurrency exchange platform with macOS malware known as "KandyKorn." This stealthy backdoor is capable of various malicious activities, including data retrieval, directory listing, file upload/download, secure deletion, process termination, and command execution. The attackers used social engineering tactics to distribute malicious modules, impersonating community members to trick users into downloading a malicious ZIP archive named "Cross-platform Bridges.zip." The malware is a significant threat to macOS users and highlights Lazarus's ability to create sophisticated and inconspicuous malware tailored for Apple computers.



A new malware discovered on Apple's macOS, linked to the North Korean hacking group Lazarus, has reportedly targeted blockchain engineers working for a cryptocurrency exchange platform. The macOS malware, named "KandyKorn," functions as a stealthy backdoor with a wide range of capabilities, including data retrieval, directory listing, file upload and download, secure deletion, process termination, and command execution. This discovery was made through an analysis conducted by Elastic Security Labs.


The malware propagation process follows a series of steps, starting with the distribution of Python-based modules through Discord channels. The attackers employ social engineering tactics to deceive community members into downloading a malicious ZIP archive, which masquerades as an arbitrage bot designed for automated profit generation, named "Cross-platform Bridges.zip." However, this archive contains 13 malicious modules that work in concert to steal and manipulate information.


The report from Elastic Security Labs mentions that the threat actors adopted a new technique to achieve persistence on macOS, known as execution flow hijacking, demonstrating their evolving tactics.


Lazarus, the North Korean hacking group responsible for this malware, has the cryptocurrency sector as one of its primary targets. Their focus is primarily financial gain rather than espionage, which sets them apart from other hacking groups. The emergence of the KandyKorn macOS malware underlines that Apple computers are well within Lazarus' targeting range. It highlights the group's remarkable ability to craft sophisticated and inconspicuous malware tailored for macOS.


In a separate incident, a recent exploit targeting Unibot, a popular Telegram bot used for trading on the decentralized exchange Uniswap, resulted in a 40% crash in the token's price within one hour. Blockchain analytics firm Scopescan alerted Unibot users about an ongoing hack, which was later confirmed by an official source. The exploit was related to a token approval vulnerability in the router used by Unibot. The Unibot team committed to compensating all users who lost funds due to the contract exploit.


The discovery of KandyKorn malware and the Unibot exploit illustrate the persistent cybersecurity threats facing the cryptocurrency industry and the importance of robust security measures to protect digital assets and user information.


(ARIJIT SARKAR, COINTELEGRAPH, 2023)