North Korea’s Lazarus Group, a notorious hacker collective, has recently been observed adopting a new technique to target blockchain engineers. Elastic Security Labs has reported that the group attempted to infect its targets with a strain of macOS malware called “KANDYKORN.” The malware was distributed via a Python application disguised as an arbitrage bot specifically tailored for blockchain engineers.
This marks a departure from the group’s usual tactics. Elastic Security Labs discovered that the Lazarus Group employed a technique known as execution flow hijacking. This technique, previously unseen from the group, enabled them to achieve persistence on macOS. Their target of choice was the popular application Discord, which is often configured by users as a login item and launched during system boot.
The Lazarus Group used a self-signed binary called HLOADER, written in Swift, to execute both the legitimate Discord bundle and a .log payload. The .log payload was used to execute Mach-O binary files from memory without writing them to disk. This complex method allowed the group to maintain persistence on compromised systems.
According to researchers, this campaign has been ongoing since April 2023, and the Lazarus Group has been continuously developing new tools and techniques. It is evident that the group is not slowing down its activities anytime soon.
Jaron Bradley, the Director of Jamf Threat Labs, commented on the Lazarus Group’s actions. He emphasized that the group shows no intention of slowing down its targeting of companies and individuals involved in cryptocurrency. Additionally, Bradley highlighted their proficiency in advanced attacker techniques and their ability to utilize new malware. The Lazarus Group has been known to establish trust with victims through various chat technologies before tricking them into running malicious software.
The Lazarus Group, with its links to the North Korean government, has been a major concern for cybersecurity experts and intelligence agencies worldwide. The group has been responsible for numerous high-profile cyberattacks, including the WannaCry ransomware outbreak in 2017 and the attack on Sony Pictures in 2014. Their primary motivation appears to be financial gain, with a particular focus on cryptocurrency theft.
Given their history and their continuous development of new tactics and malware strains, it is crucial for organizations and individuals involved in the blockchain industry to remain vigilant. Security measures must be implemented to protect against potential attacks from the Lazarus Group and other sophisticated threat actors.
As the Lazarus Group adapts and evolves, cybersecurity professionals must stay ahead of the curve. This requires constant monitoring of emerging threats, proactive defense strategies, and the implementation of robust security solutions. Collaborative efforts between the public and private sectors are also essential to effectively combat the growing cyber threats posed by groups like the Lazarus Group.