Lazarus Group prospects blockchain engineers with KANDYKORN.

Elastic Security Labs describes an attempt by North Korea’s Lazarus Group to target blockchain engineers with a newly observed strain of macOS malware called “KANDYKORN.” The malware was delivered “via a camouflaged Python application designed and advertised as an arbitrage bot targeted at blockchain engineers.” 

Execution flow hijacking is new for the Lazarus Group.

The researchers note, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking. The target of this attack was the widely used application Discord. The Discord application is often configured by users as a login item and launched when the system boots, making it an attractive target for takeover. HLOADER is a self-signed binary written in Swift. The purpose of this loader is to execute both the legitimate Discord bundle and .log payload, the latter of which is used to execute Mach-O binary files from memory without writing them to disk.”

The campaign has been ongoing since April 2023, and “the tools and techniques are being continuously developed.”

Lazarus Group isn’t slowing down.

Jaron Bradley, Director of Jamf Threat Labs at Jamf, wrote, in emailed comments, “The actions displayed by Lazarus Group show that the actor has no intent to slow down in their targeting of companies and individuals holding onto crypto-currency. They also continue to show that there is no shortage of new malware in their back pocket as well as familiarity with advanced attacker techniques. We continue to see them reach out directly to victims using different chat technology. It's here they build trust before tricking them into running malicious software.”