Report: Lazarus Group Deploys New ‘Kandykorn’ Malware in Crypto Exchange Attack

The state-sponsored North Korean hacker group Lazarus Group used a new type of malware called “Kandykorn” to target a cryptocurrency exchange.

On October 31, Elastic Security Labs reported that the notorious Lazarus Group used a new type of malicious software (malware) called “Kandykorn” in an attempt to compromise a cryptocurrency exchange.

Elastic Security Labs has revealed that the observed cyber activity, which dates back to April 2023, shows similarities with the well-known Lazarus Group, based on an examination of network infrastructure and methods employed.

According to Elastic, the attackers posed as blockchain engineers, targeting other engineers from the unnamed crypto exchange on a public Discord server.

They claimed to have designed a profitable arbitrage bot that could exploit price differences between cryptocurrencies on various exchanges. The engineers were convinced to download this “bot,” which was disguised as an arbitrage tool with file names like “config.py” and “pricetable.py.”

Advanced Malware ‘KANDYKORN’ Deployed Through Complex Five-Stage Process, Features Reflective Loading

In the discovery, Elastic Security Labs unveiled the sophisticated implant known as KANDYKORN, designed to monitor, interact, and skillfully evade detection. The deployment of KANDYKORN involves a meticulously orchestrated five-stage process that showcases its formidable capabilities.

The attack chain commences with the execution of a Python script named “watcher.py,” stored within a file labeled “Main.py.” Watcher.py, one of two malicious files stored in Main.py, establishes a connection to a remote Google Drive account, initiating the download of content into a file named “testSpeed.py.” Following a single execution of “testSpeed.py,” it is promptly erased to eliminate any traces.

During this brief execution, additional content is downloaded. TestSpeed.py acts as a dropper, fetching another Python file named “FinderTools” from a Google Drive URL. Serving as another dropper, FinderTools proceeds to download and execute a concealed second-stage payload, aptly named SUGARLOADER.

SUGARLOADER employs a “binary packer” to hide itself, posing a challenge for most malware detection programs. Elastic Security Labs managed to identify it by halting the program’s post-initialization functions and scrutinizing the virtual memory.

Once established, SUGARLOADER establishes a connection with a remote server, retrieving the final-stage payload, KANDYKORN. This payload is executed directly in memory. Additionally, SUGARLOADER launches a Swift-based self-signed binary named HLOADER, masquerading as the legitimate Discord application. It achieves persistence using a technique known as execution flow hijacking.

KANDYKORN, the ultimate payload, stands as a formidable Remote Access Trojan (RAT) with an array of capabilities, including file enumeration, the execution of additional malware, data exfiltration, process termination, and the execution of arbitrary commands.

KANDYKORN grants the remote server an array of functions for potential malicious activities, including directory content listing and the seamless transfer of victim files to the attacker’s system. The discovery of this sophisticated implant highlights the evolving landscape of cyber threats and the importance of robust security measures.

Crypto Exchanges Suffer Multiple Private-Key Hacks in 2023, Linked to Lazarus Group with Millions Stolen

Crypto exchanges have suffered a rash of private-key hacks in 2023, most of which have been traced to the North Korean cybercrime enterprise Lazarus Group. The Lazarus Group has been linked to several crypto hacks running into millions of dollars, most notably the incident that saw over $40 million wiped from sports betting platform Stake.com.

According to blockchain surveillance firm Elliptic, Lazarus has stolen nearly $240 million in cryptocurrencies since June. Initiating attacks to steal cryptoassets from Atomic Wallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), CoinEx ($54 million), and Stake.com ($41 million).

However, the United States Federal Bureau of Investigation has accused the Lazarus Group of being behind the Coinex hack, as well as performing the Stake attack and others.

According to a report from the institutional crypto platform provider 21.co, wallets connected to Lazarus Group contain around 1,600 Bitcoin, 10,810 Ether, and 64,490 Binance Coins.