Blockchain engineers’ Macs are targets of North Korea-linked malware

Hackers linked to North Korea are concentrating on blockchain engineers’ Apple gadgets with new, superior malware, researchers have discovered.

The ways and strategies used within the marketing campaign overlap with the exercise of the North Korean state-sponsored hacker group Lazarus, as reported by cybersecurity agency Elastic Safety Labs.

The hackers’ doubtless objective is to steal cryptocurrency as a part of the North Korean regime’s efforts to evade worldwide sanctions, the researchers mentioned.

The engineers work for a cryptocurrency alternate, Elastic mentioned. The report doesn’t specify the corporate.

To realize entry to the goal programs, the hackers created a Python app posing as a cryptocurrency arbitrage bot — a program that mechanically buys and sells cryptocurrencies to benefit from value variations on totally different cryptocurrency exchanges.

This app was delivered to potential victims by a direct message on a public Discord server that’s in style amongst blockchain engineers, the researchers mentioned.

This intrusion was aimed toward gadgets operating macOS, sometimes Apple laptops or desktops. The hackers tried to load malicious payloads into reminiscence, which is atypical conduct for macOS intrusions, researchers mentioned.

The hackers in the end tried to contaminate the victims with malware that the researchers name Kandykorn. It’s a complicated implant able to accessing and exfiltrating information from the sufferer’s laptop, importing and executing further payloads and killing processes — all whereas efficiently avoiding detection, Elastic mentioned.

The marketing campaign started as early as April and stays lively, the researchers mentioned, with ongoing improvement of instruments and strategies. It’s unclear what number of victims had been contaminated with the malware and whether or not any cryptocurrency was stolen.

In October, researchers reported that Lazarus exploited a vulnerability in a “high-profile” software program vendor to focus on its clients. The hackers used the SIGNBT and LPEClient malware strains to gather details about the victims’ gadgets and steal login particulars from their programs.