Security News > 2023 > November > KandyKorn macOS malware lobbed at blockchain engineers
North Korean hackers are using novel MacOS malware named KandyKorn to target blockchain engineers of a cryptocurrency exchange platform.
By impersonating blockchain engineering community members on Discord, the attackers used social engineering techniques to make victims download a malicious ZIP file.
The victims believe they are installing an arbitrage bot, i.e., crypto trading software, but they end up downloading a Python file, which downloads and executes Watcher.
Sugarloader establishes the connection to a C2 server to download and execute the KandyKorn malware directly into memory.
"Once communication is established, KandyKorn awaits commands from the server. This is an interesting characteristic in that the malware waits for commands instead of polling for commands. This would reduce the number of endpoint and network artifacts generated and provide a way to limit potential discovery," Elastic Security Labs researchers explained.
KandyKorn is a remote access trojan capable of performing encrypted C2 communications, enumerating systems, uploading and executing additional malicious payloads, compressing and exfiltrating data, and more.
News URL
https://www.helpnetsecurity.com/2023/11/03/macos-malware-cryptocurrency/
Related news
- North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS (source)
- XCSSET macOS malware returns with first new version since 2022 (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)
- The XCSSET info-stealing malware is back, targeting macOS users and devs (source)
- New FrigidStealer Malware Targets macOS Users via Fake Browser Updates (source)
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)