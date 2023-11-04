In a recent revelation, Elastic Security Labs has revealed a sophisticated cyber intrusion by North Korean hackers believed to be linked to Lazarus Group.

The incident, tracked as REF7001, involved the use of a new macOS malware called Candycorn, which is designed specifically to target blockchain engineers involved in cryptocurrency exchange platforms.

Elastic Security Labs has uncovered a sophisticated cyber intrusion by North Korean hackers believed to be linked to the notorious Lazarus Group. The incident, which targeted blockchain engineers involved in cryptocurrency exchange platforms, used deceptive Python programs masquerading as cryptocurrency arbitrage bots.

What sets this attack apart is its delivery method: the attackers distributed the malware through a private message on a public Discord server, which is unusual for a macOS infiltration strategy.

“The victim believed they were installing an arbitrage bot, which is a software tool capable of profiting from cryptocurrency rate differences between platforms,” researchers at Elastic Security Labs reported.

After installation, the Candycorn malware initiates communication with a command-and-control (C2) server, using encrypted RC4 and implementing a different handshake mechanism. Instead of actively polling for orders, it patiently waits for them. This sophisticated method enables hackers to secretly maintain control over compromised systems.

Candycorn malware strategy reveals ties to Lazarus Group

Elastic Security Labs has provided valuable insight into Candycorn’s capabilities, demonstrating its efficiency in file uploads and downloads, process manipulation, and execution of arbitrary system commands. Of particular concern is the use of reflective binary loading, a fileless execution technique associated with the notorious Lazarus group. Lazarus Group is famous for its involvement in cryptocurrency theft and international sanctions evasion.

Additionally, there is strong evidence linking this attack to North Korea’s Lazarus Group. Similarities in the technologies, network infrastructure, certificates used to sign malicious software, and custom methods for detecting Lazarus Group’s activities all point to their involvement.

Additionally, on-chain transactions have revealed links between security breaches at Atomic Wallet, AlphaPo, Coinspeed, Stake.com, and CoinX. These connections further prove the involvement of the Lazarus Group in these exploits.

In a separate recent incident, Lazarus Group attempted to compromise Apple computers running macOS by tricking users into downloading a crypto trading app from GitHub. Once unsuspecting users installed the software and granted it administrative access, attackers gained backdoor entry into the operating system, allowing remote access.

By looking at these details, Elastic Security Labs highlights the sophisticated strategy adopted by Lazarus Group, and emphasizes the importance of strong cybersecurity measures to protect against such threats.

