Cybersecurity firm Elastic Security Labs identified a new sort of malware used by the North Korean cybercrime group Lazarus to carry out hacks on crypto exchanges.
In a blog post on Wednesday, Elastic said the novel intrusion targeted blockchain engineers on exchanges, luring them in with a Python application to gain access to their environments.
The security researchers observed the intrusion on a macOS system when an adversary attempted to load binaries into memory.
Lazarus reportedly impersonated blockchain engineers on Discord, convincing victims to download a ZIP file that contained malicious code. The victims in question believed they were downloading a crypto arbitrage bot.
Once the program began running on the victim’s devices, the malicious file “Watcher.py” connected to a Google Drive account and started downloading content to another file. This single-time execution file was automatically deleted to cover its tracks.
Stage 2 of the infiltration process involved the execution of a program that Elastic calls “Sugarloader”, which has the ability to hide from malware detection programs in a binary packer. After Sugarloader sets the stage, the next phase of the process takes place where a program called HLOADER masquerades as a legitimate Discord application.
The final stage, dubbed “Kandykorn,” infiltrates victims’ computers with a full set of capabilities to monitor, interact with programs and avoid detection.
The techniques and malware used to carry out the attack have been linked to the Lazarus Group as per analysis of their previous hacks.
“We attribute this activity to DPRK [Lazarus Group] and recognize overlaps with the Lazarus Group based on our analysis of the techniques, network infrastructure, code-signing certificates, and custom Lazarus Group detection rules,” said Elastic.