The Lazarus Group, a state-sponsored threat group from the Democratic People’s Republic of Korea, has been targeting blockchain engineers on a cryptocurrency exchange platform, using macOS malware dubbed “KANDYKORN.”
“The actions displayed by Lazarus Group show that the actor has no intent to slow down in their targeting of companies and individuals holding onto crypto-currency,” says Jaron Bradley, director of Jamf Threat Labs at Jamf. “They also continue to show that there is no shortage of new malware in their back pocket as well as familiarity with advanced attacker techniques. We continue to see them reach out directly to victims using different chat technology. It’s here they build trust before tricking them into running malicious software.”
Bradley is also part of the team behind the discovery of the BlueNoroff APT Group’s use of “RustBucket” malware targeting macOS.
KANDYKORN isn’t the first time the Lazarus Group has leveraged macOS malware in its attacks. Earlier this year, the threat actor was observed distributing a backdoored PDF application that culminated in the deployment of RustBucket, an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server.
According to The Hackers News, what makes the new campaign stand out is the attacker’s impersonation of blockchain engineers on a public Discord server, employing social engineering lures to trick victims into downloading and executing a ZIP archive containing malicious code.