Apple MacOS malware targets crypto community and engineers

November 3, 2023

0 0 1 minute read

New malware discovered on Apple’s macOS – linked to North Korean hacking group Lazarus – reportedly targeted blockchain engineers at a cryptocurrency exchange.

The macOS malware “KandyKorn” is a stealthy backdoor capable of scraping data, listing directories, uploading/uploading files, securely deleting, terminating processes, and executing commands, according to a analysis by Elastic Security Labs.

MacOS Malware Execution Flow (REF7001). Source: elastic.co

The flowchart above explains the steps the malware takes to infect and hijack users’ computers. Initially, attackers distributed Python-based modules through Discord channels pretending to be community members.

Social engineering attacks trick community members into downloading a malicious ZIP archive named “Cross-platform Bridges.zip” – imitating an arbitrage bot designed for automated profit generation. However, the file imports 13 malicious modules that work together to steal and manipulate information. The report said:

“We observed the threat actor adopt a technique we have never seen them use before to achieve persistence on macOS, known as execution flow hijacking. »

The cryptocurrency sector remains a primary target for Lazarus, primarily motivated by financial gain rather than espionage, their other main operational objective.

The existence of KandyKorn highlights that macOS is well within Lazarus’ targeting zone, demonstrating the threat group’s remarkable ability to create sophisticated, stealthy malware tailored to Apple computers.

Related: Onyx Protocol exploiter begins siphoning $2.1 million in loot from Tornado Cash

A recent exploit on Unibot, a popular Telegram bot used to snipe transactions on decentralized exchange Uniswap, caused the token’s price to drop by 40% in an hour.

.@TeamUnibot seems exploited, the exploiter transfers the memecoins of #unibot users and exchange them for $ETH right away.

Current exploit size is around $560,000

Address of the exploiter: https://t.co/ysyTmgUAit pic.twitter.com/MF85Fdk892

— Scopescan (.) (@0xScopescan) October 31, 2023

Blockchain analytics company Scopescan alerted Unibot users of a hack in progress, which was later confirmed by an official source:

“We encountered a token trust exploit from our new router and have paused our router to contain the issue.”

Unibot has pledged to compensate all users who lost funds due to the contract exploit.

Review: Billionaire Slumdog 2: ‘The Top 10…brings no satisfaction,’ says Polygon’s Sandeep Nailwal

Sepahan fined and banned from stadium after Al-Ittihad cancellation

On TikTok, Gen Z Beatles fans share their thoughts on 'every once in a while'

Related Articles

Why the Service Sector Needs Blockchain, Explained

Why you should read 1984 (again)

Michael Jackson’s first-ever studio demo to be released on blockchain

Day 17 of the SBF trial: the founder of FTX presented as a criminal and a victim in the final conclusions

Leave a Reply Cancel reply