Security News > 2023 > November > KandyKorn macOS malware lobbed at blockchain engineers
North Korean hackers are using novel MacOS malware named KandyKorn to target blockchain engineers of a cryptocurrency exchange platform.
By impersonating blockchain engineering community members on Discord, the attackers used social engineering techniques to make victims download a malicious ZIP file.
The victims believe they are installing an arbitrage bot, i.e., crypto trading software, but they end up downloading a Python file, which downloads and executes Watcher.
Sugarloader establishes the connection to a C2 server to download and execute the KandyKorn malware directly into memory.
"Once communication is established, KandyKorn awaits commands from the server. This is an interesting characteristic in that the malware waits for commands instead of polling for commands. This would reduce the number of endpoint and network artifacts generated and provide a way to limit potential discovery," Elastic Security Labs researchers explained.
KandyKorn is a remote access trojan capable of performing encrypted C2 communications, enumerating systems, uploading and executing additional malicious payloads, compressing and exfiltrating data, and more.
News URL
https://www.helpnetsecurity.com/2023/11/03/macos-malware-cryptocurrency/
Related news
- macOS HM Surf vuln might already be under exploit by major malware family (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- New RustyAttr Malware Targets macOS Through Extended Attribute Abuse (source)