A recently discovered MacOS malware, known as “KandyKorn,” allegedly linked to the North Korean hacking group Lazarus, has set its sights on the blockchain engineers of a prominent cryptocurrency exchange platform.
This stealthy MacOS malware functions as a backdoor, equipped with capabilities for data retrieval, directory listings, file upload/download, secure file deletion, process termination, and command execution, as outlined in an analysis by Elastic Security Labs. It’s an alarming development in the ongoing battle against cyber threats.
The malware’s infiltration process is detailed in a flowchart, illustrating the steps it takes to compromise and commandeer users’ computers. The initial stage involves the distribution of Python-based modules through Discord channels, posing as trusted community members.
These social engineering attacks lure victims into downloading a deceptive ZIP archive titled “Cross-platform Bridges.zip,” masquerading as an arbitrage bot designed to automate profit generation. However, the ZIP archive contains a total of 13 malicious modules that work in unison to steal and manipulate sensitive information, as revealed in the report.
The report states, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”
Lazarus Group’s primary motivation remains financial gain rather than espionage, and the cryptocurrency sector remains a prime target. The discovery of KandyKorn underscores the concerning reality that MacOS is well within Lazarus’ reach. This showcases the group’s formidable capacity to craft highly sophisticated and discreet malware specifically tailored for Apple computers.
In other news, a recent exploit targeting Unibot, a popular Telegram bot used for sniping trades on the decentralized exchange Uniswap, led to a 40% crash in the token’s price within just one hour.
Blockchain analytics firm Scopescan promptly alerted Unibot users to an ongoing hack, which was subsequently confirmed by an official source:
“We experienced a token approval exploit from our new router and have paused our router to contain the issue.”
Unibot has committed to compensating all users who suffered financial losses due to the contract exploit, highlighting the ongoing challenges and vulnerabilities within the cryptocurrency space.
