Hackers Attacking Blockchain Engineers with Novel macOS Malware

The frequency of hackers exploiting macOS flaws varies over time, but Apple continuously releases security updates to patch vulnerabilities. 

While macOS is generally considered more secure than some other operating systems but, it is not immune to exploitation, and hackers may target it, especially if they discover new vulnerabilities.

Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware.

Novel macOS Malware

For initial access and post-exploitation, the breach used custom and open-source tools. It was detected during the analysis of a macOS endpoint involving a Python app disguised as a crypto bot in a Discord direct message.

FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

Register Your Spot

This activity is linked to DPRK and shares similarities with the Lazarus Group, and security analysts labeled it REF7001 by considering the following elements:-

• Techniques
• Infrastructure
• Certificates
• Detection rules

Malicious actors posed as blockchain community members on a public Discord, duping an individual into downloading a deceptive ZIP file. The victim mistook it for a crypto arbitrage bot, leading to an initial compromise.

This marked the start of REF7001’s malware sequence, ultimately leading to ‘KANDYKORN”:-

• Stage 0 (Initial Compromise) – Watcher.py
• Stage 1 (Dropper) – testSpeed.py and FinderTools
• Stage 2 (Payload) – .sld and .log – SUGARLOADER
• Stage 3 (Loader)- Discord (fake) – HLOADER
• Stage 4 (Payload) – KANDYKORN

Both stage 3 and stage 4 executables share the same encrypted RC4 protocol for C2 communication, using a consistent key. These samples wrap send-and-receive system calls, encrypting data before sending and decrypting before processing.

During initialization, a handshake occurs between the malware and the C2, and if the handshake fails, the attack halts.

The client sends a random number to the C2, which responds with a nonce, and then a challenge is computed by the client and sent to the server.

After the connection, the client shares its ID and awaits server commands. All data exchanged follows a consistent serialization pattern:-

• Length
• Payload
• Return code to track errors

REF7001 involved the adversary obtaining payloads and loaders from the network infrastructure. They distributed the initial malware archive via a Google Drive link in a blockchain Discord server.

Besides this, two C2 servers were detected during the REF7001 analysis, and they are mentioned below:-

• tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
• 23.254.226[.]90

DPRK’s LAZARUS GROUP targets crypto firms for stolen coins to evade sanctions. They trick blockchain engineers on a chat server, promising money but infecting victims who interact.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.