1. Home
  2. alphapo

alphapo

Lazarus used ‘Kandykorn’ malware in attempt to compromise exchange — Elastic

Lazarus members posed as engineers and fooled exchange employees into downloading difficult-to-detect malware.

Lazarus Group used a new form of malware in an attempt to compromise a crypto exchange, according to an Oct. 31 report from Elastic Security Labs.

Elastic has named the new malware “Kandykorn” and the loader program that loads it into memory “Sugarload,” as the loader file has a novel “.sld” extension in its name. Elastic did not name the exchange that was targeted.

Crypto exchanges have suffered a rash of private-key hacks in 2023, most of which have been traced to the North Korean cybercrime enterprise Lazarus Group.

Kandykorn infection process. Source: Elastic Security Labs

According to Elastic, the attack began when Lazarus members posed as blockchain engineers and targeted engineers from the unnamed crypto exchange. The attackers made contact on Discord, claiming they had designed a profitable arbitrage bot that could profit from discrepancies between the prices of cryptocurrencies on different exchanges.

The attackers convinced the engineers to download this “bot.” The files in the program’s ZIP folder had disguised names like “config.py” and “pricetable.py” that made it appear to be an arbitrage bot.

Once the engineers ran the program, it executed a “Main.py” file that ran some ordinary programs as well as a malicious file called “Watcher.py.” Watcher.py established a connection to a remote Google Drive account and began downloading content from it to another file named testSpeed.py. The malicious program then ran testSpeed.py a single time before deleting it in order to cover its tracks.

During the single-time execution of testSpeed.py, the program downloaded more content and eventually executed a file that Elastic calls “Sugarloader.” This file was obfuscated using a “binary packer,” Elastic stated, allowing it to bypass most malware detection programs. However, they were able to discover it by forcing the program to stop after its initialization functions had been called, then snapshotting the process’ virtual memory.

According to Elastic, it ran VirusTotal malware detection on Sugarloader, and the detector declared that the file was not malicious.

Related: Crypto firms beware: Lazarus’ new malware can now bypass detection

Once Sugarloader was downloaded onto the computer, it connected to a remote server and downloaded Kandykorn directly into the device’s memory. Kandykorn contains numerous functions that can be used by the remote server to perform various malicious activities. For example, the command “0xD3” can be used to list the contents of a directory on the victim’s computer, and “resp_file_down” can be used to transfer any of the victim’s files to the attacker’s computer.

Elastic believes that the attack occurred in April 2023. It claims that the program is probably still being used to perform attacks today, stating:

“This threat is still active and the tools and techniques are being continuously developed.”

Centralized crypto exchanges and apps suffered a rash of attacks in 2023. Alphapo, CoinsPaid, Atomic Wallet, Coinex, Stake and others have been victims of these attacks, most of which seem to have involved the attacker stealing a private key from the victim’s device and using it to transfer customers’ cryptocurrency to the attacker’s address. 

The United States Federal Bureau of Investigation has accused the Lazarus Group of being behind the Coinex hack, as well as performing the Stake attack and others.

Ripple Moves Big Money, RLUSD Sees Distribution, XRP Holds Key $2 Support

Stake hack of $41M was performed by North Korean group: FBI

After investigating, the FBI concluded that the hack of crypto gambling site Stake was carried out by North Korean hackers Lazarus Group.

The $41 million hack of crypto gambling site Stake was carried out by the North Korean Lazarus Group, the Federal Bureau of Investigation (FBI) stated in an announcement on Sept. 7. This group has stolen more than $200 million of crypto in 2023, the announcement stated.

Stake is a crypto gambling platform that offers casino games and sports betting. It was the victim of a cyberattack on Sept. 4 that drained over $41 million worth of cryptocurrency from its hot wallets. The Stake team stated that the hacker only obtained a small percentage of funds and that users would not be affected.

According to the FBI statement on Sept. 7, the agency has carried out an investigation and has concluded that the attack was performed by the Lazarus Group, a notorious cybercrime organization believed to be associated with the Democratic People’s Republic of Korea (DPRK). DPRK is also known as “North Korea.”

The FBI listed the addresses where the stolen funds are now held, which exist on the Bitcoin, Ethereum, BNB Smart Chain and Polygon networks. It recommended that all crypto protocols and businesses review the addresses used in the hack and avoid transacting with them, stating:

“Private sector entities are encouraged to review the previously released Cyber Security Advisory on TraderTraitor and examine the blockchain data associated with the above-referenced virtual currency addresses and be vigilant in guarding against transactions directly with, or derived from, those addresses.”

Related: FBI flags 6 Bitcoin wallets linked to North Korea, urges vigilance in crypto firms

The agency also blamed Lazarus for the Alphapo, CoinsPaid and Atomic Wallet hacks, stating that losses from all of these hacks add up to over $200 million the group has stolen in 2023. Alphapo is a payment processor that suffered over $65 million in suspicious withdrawals on July 23. CoinsPaid, another payments firm, lost over $37 million through social engineering sometime in late July. And Atomic Wallet users lost a whopping $100 million in June through an unknown exploit.

Ripple Moves Big Money, RLUSD Sees Distribution, XRP Holds Key $2 Support