Malware for Apple’s macOS targets blockchain engineers of crypto exchange platform: Report

Malware "KandyKorn" found targeting blockchain engineers of a cryptocurrency exchange platform, attributed to North Korean Lazarus group. Attackers use social engineering to spread malicious ZIP archive, which unpack & execute scripts to hijack Discord app & load final payload.

A new malware affecting Apple’s macOS was found targeting blockchain engineers of a cryptocurrency exchange platform. The malware, dubbed “KandyKorn,” is being attributed to the North Korean Lazarus hacking group.

The attackers impersonate members of the cryptocurrency community on Discord channels to spread the Python-based modules that trigger a multi-stage KandyKorn infection chain, as reported by Bleeping Computer.

The campaign is aimed at accessing and stealing data from the infected computer and avoids detection by hijacking the real Discord app following a series of binary renaming actions.

Attackers approach members of the crypto community on Discord channels using social engineering attacks to trick them into downloading a malicious ZIP archive named “Cross-platform Bridges.zip.”

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

Victims are misled into believing that they are downloading a legitimate arbitrage bot designed for automated profit generation from crypto transactions. However, the Python script imports modules that unpack and execute scripts, which later establish a connection with the command-and-control server to obtain and load the final payload, KandyKorn, into the system memory, the report said.

In the final stage, a loader is used, which impersonates Discord and uses macOS binary code-signing techniques seen in past Lazarus campaigns.