Elastic Security Labs researchers recently observed state-sponsored threat actors from the Democratic People’s Republic of Korea (DPRK) targeting blockchain engineers of an unspecified crypto exchange platform. The operation’s TTPs align with previous Lazarus Group activity.
Unlike previous Lazarus Group macOS malware attacks, this operation employed social engineering tactics on a public Discord server to trick users into downloading a malicious ZIP archive. The threat actor attempted to convince Discord users that they were downloading arbitrage bot, a cryptocurrency-focused software tool. Instead, the archive executed a five-stage process culminating with the deployment of KANDYKORN. This RAT is capable of enumerating files, exfiltrating data, terminating processes, and running arbitrary commands on compromised systems. DPRK-sponsored threat actors frequently target crypto-industry organizations to steal financial resources for the sanctioned nation.
Read More:
https://thehackernews.com/2023/11/north-korean-hackers-tageting-crypto.html