Report: Lazarus Group Deploys New ‘Kandykorn’ Malware in Crypto Exchange Attack
The state-sponsored North Korean hacker group Lazarus Group used a new type of malware called “Kandykorn” to target a cryptocurrency exchange.
On October 31, Elastic Security Labs reported that the notorious Lazarus Group used a new type of malicious software (malware) called “Kandykorn” in an attempt to compromise a cryptocurrency exchange.
Elastic Security Labs has revealed that the observed cyber activity, which dates back to April 2023, shows similarities with the well-known Lazarus Group, based on an examination of network infrastructure and methods employed.
According to Elastic, the attackers posed as blockchain engineers, targeting other engineers from the unnamed crypto exchange on a public Discord server.
They claimed to have designed a profitable arbitrage bot that could exploit price differences between cryptocurrencies on various exchanges. The engineers were convinced to download this “bot,” which was disguised as an arbitrage tool with file names like “config.py” and “pricetable.py.”
In the discovery, Elastic Security Labs unveiled the sophisticated implant known as KANDYKORN, designed to monitor, interact, and skillfully evade detection. The deployment of KANDYKORN involves a meticulously orchestrated five-stage process that showcases its formidable capabilities.
The attack chain commences with the execution of a Python script named “watcher.py,” stored within a file labeled “Main.py.” Watcher.py, one of two malicious files stored in Main.py, establishes a connection to a remote Google Drive account, initiating the download of content into a file named “testSpeed.py.” Following a single execution of “testSpeed.py,” it is promptly erased to eliminate any traces.
During this brief execution, additional content
Read more on cryptonews.com
