Lazar used ‘Kandykorn’ malware to deface the exchange – Rubber
According to a report by Elastic Security Labs on October 31, the Lazarus group used a new type of malware to compromise the crypto exchange.
Rubber has named the new malware “Kandykorn” and named the bootloader “Sugarload” because the bootloader has a “.sld” extension in its name. Elastic did not name the targeted exchange.
Crypto Exchanges In 2023, they encountered private key hackers, most of whom belonged to the North Korean cybercrime enterprise Lazar Group.
According to Elastic, the attack began when members of Lazarus targeted blockchain engineers and unnamed crypto exchange engineers. The attackers posted a link on Discord claiming to have designed a profitable arbitrage bot that can profit from the difference between the prices of cryptocurrencies on various exchanges.
The attackers convinced the engineers to download this “bot”. The files in the program's zip folder had hidden names like “config.py” and “pricetable.py” which made it look like arbitrage.
Once the engineers executed the program, it executed a “Main.py” file that runs some simple programs, as well as a malicious file called “Watcher.py”. Watcher.py makes a connection to the remote Google Drive account and starts downloading the content from it to another file called testSpeed.py. The malicious program ran testSpeed.py once before deleting it to cover its tracks.
During a single run of testSpeed.py, the program downloads additional content and finally executes a file that Rubber calls the “sugar loader”. This file was hidden using a “binary packer” that, according to Elastic, allowed it to bypass most malware detection programs. However, you can get around it by forcing the program to stop after its initialization functions are called, and by snapshotting the process's virtual memory.
Like Elastic, VirusTotal ran a malware scan on SugarLoader, and the scanner declared the file to be non-malicious.
Related: Crypto firms beware: Lazarus' new malware can now bypass detection
Once downloaded on the computer, SugarLoader connects to a remote server and downloads CandyCore directly to the device's memory. Kandykorn contains several functions that can be used to perform various malicious activities on the remote server. For example, the command “0xD3” can be used to list the contents of a directory on the victim's computer, and “resp_file_down” can be used to transfer any of the victim's files to the attacker's computer.
Elastic believes the attack took place in April 2023. This program is probably still being used to carry out attacks today, he says.
“This threat is still active and the tools and techniques are constantly being developed.”
Centralized Crypto Exchanges and Applications They face an offensive rush in 2023. Alphapo, CoinsPaid, Atomic Wallet, Coinex, Stake, and others have fallen victim to these attacks, most of which appear to involve the attacker stealing the private key from the victim's device. Using it to transfer customers' cryptocurrency to the attacker's address.
The United States Federal Bureau of Investigation has accused the Lazarus group of being behind the Koinex hack as well as the Stack attack and more.