Security News > 2023 > November > KandyKorn macOS malware lobbed at blockchain engineers

North Korean hackers are using novel MacOS malware named KandyKorn to target blockchain engineers of a cryptocurrency exchange platform.

By impersonating blockchain engineering community members on Discord, the attackers used social engineering techniques to make victims download a malicious ZIP file.

The victims believe they are installing an arbitrage bot, i.e., crypto trading software, but they end up downloading a Python file, which downloads and executes Watcher.

Sugarloader establishes the connection to a C2 server to download and execute the KandyKorn malware directly into memory.

"Once communication is established, KandyKorn awaits commands from the server. This is an interesting characteristic in that the malware waits for commands instead of polling for commands. This would reduce the number of endpoint and network artifacts generated and provide a way to limit potential discovery," Elastic Security Labs researchers explained.

KandyKorn is a remote access trojan capable of performing encrypted C2 communications, enumerating systems, uploading and executing additional malicious payloads, compressing and exfiltrating data, and more.

News URL

https://www.helpnetsecurity.com/2023/11/03/macos-malware-cryptocurrency/