Thursday, November 30, 2023

Hackers Attacking Blockchain Engineers with Novel macOS Malware

The frequency of hackers exploiting macOS flaws varies over time, but Apple continuously releases security updates to patch vulnerabilities. 

While macOS is generally considered more secure than some other operating systems but, it is not immune to exploitation, and hackers may target it, especially if they discover new vulnerabilities.

Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware.

Novel macOS Malware

For initial access and post-exploitation, the breach used custom and open-source tools. It was detected during the analysis of a macOS endpoint involving a Python app disguised as a crypto bot in a Discord direct message.

FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

This activity is linked to DPRK and shares similarities with the Lazarus Group, and security analysts labeled it REF7001 by considering the following elements:-

  • Techniques
  • Infrastructure
  • Certificates
  • Detection rules

Malicious actors posed as blockchain community members on a public Discord, duping an individual into downloading a deceptive ZIP file. The victim mistook it for a crypto arbitrage bot, leading to an initial compromise.

This marked the start of REF7001’s malware sequence, ultimately leading to ‘KANDYKORN”:-

  • Stage 0 (Initial Compromise) –
  • Stage 1 (Dropper) – and FinderTools
  • Stage 2 (Payload) – .sld and .log – SUGARLOADER
  • Stage 3 (Loader)- Discord (fake) – HLOADER
  • Stage 4 (Payload) – KANDYKORN

Both stage 3 and stage 4 executables share the same encrypted RC4 protocol for C2 communication, using a consistent key. These samples wrap send-and-receive system calls, encrypting data before sending and decrypting before processing.

During initialization, a handshake occurs between the malware and the C2, and if the handshake fails, the attack halts.

The client sends a random number to the C2, which responds with a nonce, and then a challenge is computed by the client and sent to the server.

After the connection, the client shares its ID and awaits server commands. All data exchanged follows a consistent serialization pattern:-

  • Length
  • Payload
  • Return code to track errors

REF7001 involved the adversary obtaining payloads and loaders from the network infrastructure. They distributed the initial malware archive via a Google Drive link in a blockchain Discord server.

Besides this, two C2 servers were detected during the REF7001 analysis, and they are mentioned below:-

  • tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • 23.254.226[.]90

DPRK’s LAZARUS GROUP targets crypto firms for stolen coins to evade sanctions. They trick blockchain engineers on a chat server, promising money but infecting victims who interact.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

Zyxel Command Injection Flaws Let Attackers Run OS Commands

Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products,...

North Korean Hackers Attacking macOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution...

Most Popular Websites Still Allow Users To Have Weak Passwords

The latest analysis shows that tens of millions of people are creating weak passwords...

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles