Blockchain engineers’ Macs are targets of North Korea-linked malware
Hackers linked to North Korea are targeting blockchain engineers’ Apple devices with new, advanced malware, researchers have found.
The tactics and techniques used in the campaign overlap with the activity of the North Korean state-sponsored hacker group Lazarus, as reported by cybersecurity firm Elastic Security Labs.
The hackers’ likely goal is to steal cryptocurrency as part of the North Korean regime’s efforts to evade international sanctions, the researchers said.
The engineers work for a cryptocurrency exchange, Elastic said. The report does not specify the company.
To gain access to the target systems, the hackers created a Python app posing as a cryptocurrency arbitrage bot — a program that automatically buys and sells cryptocurrencies to take advantage of price differences on different cryptocurrency exchanges.
This app was delivered to potential victims through a direct message on a public Discord server that is popular among blockchain engineers, the researchers said.
This intrusion was aimed at devices running macOS, typically Apple laptops or desktops. The hackers attempted to load malicious payloads into memory, which is atypical behavior for macOS intrusions, researchers said.
The hackers ultimately attempted to infect the victims with malware that the researchers call Kandykorn. It is an advanced implant capable of accessing and exfiltrating data from the victim's computer, uploading and executing additional payloads and killing processes — all while successfully avoiding detection, Elastic said.
The campaign began as early as April and remains active, the researchers said, with ongoing development of tools and techniques. It is unclear how many victims were infected with the malware and whether any cryptocurrency was stolen.
In October, researchers reported that Lazarus exploited a vulnerability in a “high-profile” software vendor to target its customers. The hackers used the SIGNBT and LPEClient malware strains to collect information about the victims' devices and steal login details from their systems.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.