Thursday, April 18, 2024

Hackers Attacking Blockchain Engineers with Novel macOS Malware

The frequency of hackers exploiting macOS flaws varies over time, but Apple continuously releases security updates to patch vulnerabilities. 

While macOS is generally considered more secure than some other operating systems but, it is not immune to exploitation, and hackers may target it, especially if they discover new vulnerabilities.

Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware.

Novel macOS Malware

For initial access and post-exploitation, the breach used custom and open-source tools. It was detected during the analysis of a macOS endpoint involving a Python app disguised as a crypto bot in a Discord direct message.

FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

This activity is linked to DPRK and shares similarities with the Lazarus Group, and security analysts labeled it REF7001 by considering the following elements:-

  • Techniques
  • Infrastructure
  • Certificates
  • Detection rules

Malicious actors posed as blockchain community members on a public Discord, duping an individual into downloading a deceptive ZIP file. The victim mistook it for a crypto arbitrage bot, leading to an initial compromise.

This marked the start of REF7001’s malware sequence, ultimately leading to ‘KANDYKORN”:-

  • Stage 0 (Initial Compromise) –
  • Stage 1 (Dropper) – and FinderTools
  • Stage 2 (Payload) – .sld and .log – SUGARLOADER
  • Stage 3 (Loader)- Discord (fake) – HLOADER
  • Stage 4 (Payload) – KANDYKORN

Both stage 3 and stage 4 executables share the same encrypted RC4 protocol for C2 communication, using a consistent key. These samples wrap send-and-receive system calls, encrypting data before sending and decrypting before processing.

During initialization, a handshake occurs between the malware and the C2, and if the handshake fails, the attack halts.

The client sends a random number to the C2, which responds with a nonce, and then a challenge is computed by the client and sent to the server.

After the connection, the client shares its ID and awaits server commands. All data exchanged follows a consistent serialization pattern:-

  • Length
  • Payload
  • Return code to track errors

REF7001 involved the adversary obtaining payloads and loaders from the network infrastructure. They distributed the initial malware archive via a Google Drive link in a blockchain Discord server.

Besides this, two C2 servers were detected during the REF7001 analysis, and they are mentioned below:-

  • tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • 23.254.226[.]90

DPRK’s LAZARUS GROUP targets crypto firms for stolen coins to evade sanctions. They trick blockchain engineers on a chat server, promising money but infecting victims who interact.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles