Blockchain engineers’ Macs are targets of North Korea-linked malware

Siva Ramakrishnan
Hackers linked to North Korea are targeting blockchain engineers’ Apple devices with new, advanced malware, researchers have found.

Hackers linked to North Korea are targeting blockchain engineers’ Apple devices with new, advanced malware, researchers have found.

The tactics and techniques used in the campaign overlap with the activity of the North Korean state-sponsored hacker group Lazarus, as reported by cybersecurity firm Elastic Security Labs.

The hackers’ likely goal is to steal cryptocurrency as part of the North Korean regime’s efforts to evade international sanctions, the researchers said.

The engineers work for a cryptocurrency exchange, Elastic said. The report does not specify the company.

To gain access to the target systems, the hackers created a Python app posing as a cryptocurrency arbitrage bot — a program that automatically buys and sells cryptocurrencies to take advantage of price differences on different cryptocurrency exchanges.

This app was delivered to potential victims through a direct message on a public Discord server that is popular among blockchain engineers, the researchers said.

This intrusion was aimed at devices running macOS, typically Apple laptops or desktops. The hackers attempted to load malicious payloads into memory, which is atypical behavior for macOS intrusions, researchers said.

The hackers ultimately attempted to infect the victims with malware that the researchers call Kandykorn. It is an advanced implant capable of accessing and exfiltrating data from the victim’s computer, uploading and executing additional payloads and killing processes — all while successfully avoiding detection, Elastic said.

The campaign began as early as April and remains active, the researchers said, with ongoing development of tools and techniques. It is unclear how many victims were infected with the malware and whether any cryptocurrency was stolen.

In October, researchers reported that Lazarus exploited a vulnerability in a “high-profile” software vendor to target its customers. The hackers used the SIGNBT and LPEClient malware strains to collect information about the victims’ devices and steal login details from their systems.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Nearly 5,000 Okta employees affected by third-party data breach

Next Post

EU urged to drop new law that could allow member states to intercept and decrypt global web traffic

Related Posts

Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days

Microsoft has addressed a total of 61 new security flaws in its software as part of its Patch Tuesday updates for May 2024, including two zero-days which have been actively exploited in the wild. Of the 61 flaws, one is rated Critical, 59 are rated Important, and one is rated Moderate in severity. This is in addition to 30 vulnerabilities&
Read More