A group of North Korean hackers have spread a new type of malware via a loader program, intending to compromise a cryptocurrency exchange.
Analysts at cybersecurity company Elastic Security Labs have discovered a new type of malware that Lazarus Group hackers attempted to use to hack an unnamed crypto exchange. Analysts have dubbed the new virus Kandykorn.
The attack started with attackers using social engineering methods, establishing contact with the developers of the trading platform via Discord. They managed to convince the exchange’s representatives to try out the functionality of a new profitable arbitrage bot they had allegedly developed.
Thus, hackers convinced the crypto exchange team to download a ZIP folder with files for installing the program, which contained a malicious file in addition to the typical arbitrage bot files. After launching the program, this file established a connection with a remote Google Drive account and allowed hackers to download a specific loader program, named Sugarloader by Elastic analysts. Once downloaded, all other malicious files were deleted.
Sugarloader enables hackers to bypass most malware detection programs. Elastic analysts claim that the VirusTotal service detector failed to identify Sugarloader as a malicious file. The team was able to detect it only by stopping the program after its initialization functions had been called and taking a snapshot of the process’ virtual memory.
Sugarloader allowed cybercriminals from the Lazarus Group to connect to a remote server and download Kandykorn directly into the device’s memory. The new virus contains many features that give hackers almost unlimited access to the infected computer. Attackers can download files from a remote server without the user noticing and delete or replace files on the disk.
Elastic analysts believe that hackers used Kandykorn back in April 2023, and the malware is still on the crypto exchange’s server.
Cybercriminals associated with North Korea stole about $3.54 billion in crypto over the past eight years, being behind every third attack on crypto projects. CoinsPaid revealed how Lazarus Group hacked and laundered the stolen assets, while Match Systems CEO explained how hacking investigations are conducted in the Web3 space.
