Breaking News Lazarus Group Strikes Again with ‘Kandykorn’ Malware in Dramatic Crypto Exchange Attack

Report Lazarus Group Strikes Again with 'Kandykorn' Malware in a Targeted Crypto Exchange Breach

North Korean Hackers Unleash Kandykorn Malware on Cryptocurrency Exchanges!

Source: AdobeStock / Sergey Nivens

Oh boy, the North Korean hackers are at it again! This time, they’ve cooked up a new gourmet malware dish called “Kandykorn” to target unsuspecting cryptocurrency exchanges. Elastic Security Labs recently blew the whistle on this notorious Lazarus Group, revealing their latest cyber shenanigans. And let me tell you, it’s like a blockbuster action movie playing out in the digital world!

Imagine, these hackers posed as blockchain engineers, infiltrating a public Discord server, and posing as super-smart arbitrage bot builders. They lured unsuspecting engineers with promises of exploiting price differences between cryptocurrencies on different exchanges. Can you believe it? They convinced these engineers to download their malicious “bot” disguised as an arbitrage tool with catchy file names like “config.py” and “pricetable.py.” Talk about candy-coated trickery!

Now, let’s dive into the juicy details of the Kandykorn operation. Elastic Security Labs, like expert detectives, unraveled the five-stage process behind this advanced malware. It’s like an intricate dance, showcasing the terrifying capabilities of the hackers.

• A Year After Sam Bankman-Fried’s Downfall, Solana and Other FTX Holdings Soar to New Heights
• Breaking Multichain Transactions Confirmed as Queue Unwinds, Blockchain Tech – Unleashing the Power of Patience!
• From NovaWulf to Valinor Epic Journey of the Celsius Bidder Team!

First, they unleash a Python script named “watcher.py” that connects to a remote Google Drive account. This script then downloads a file called “testSpeed.py,” but don’t blink, because it’s quickly erased to eliminate any evidence! Sneaky, huh?

But wait, there’s more! During this frenetic download dance, the script secretly fetches another Python file known as “FinderTools” from a Google Drive URL. FinderTools takes over as the next dropper, downloading and executing a concealed second-stage payload named…wait for it… SUGARLOADER! Who comes up with these names?

SUGARLOADER, like a magician’s assistant, skillfully hides itself by using a “binary packer,” making it a real challenge for most malware detection programs. But Elastic Security Labs refused to be fooled. They halted the program’s post-initialization functions and examined its virtual memory, revealing its true identity. Bravo!

But the adventure doesn’t end there. SUGARLOADER establishes a connection with a remote server, retrieving the grand finale payload, the notorious KANDYKORN. This bad boy is executed directly in the memory, bringing with it a whole arsenal of remote access Trojan (RAT) capabilities. It’s like a formidable creature, with powers of file enumeration, executing additional malware, data exfiltration, process termination, and arbitrary command execution. It’s a digital villain that you definitely don’t want to mess with!

And let me tell you, these hackers are hitting crypto exchanges left and right. They’ve been stealing private keys like a modern-day Robin Hood, but without the altruistic intentions. Cryptocurrency exchanges have been bleeding money, with millions of dollars disappearing into thin air. The Lazarus Group is like a swarm of digital locusts, leaving a trail of devastation in their wake.

They wiped out over $40 million from Stake.com, and that’s just the tip of the iceberg. Cryptocurrency exchanges like Atomic Wallet, CoinsPaid, Alphapo, and CoinEx have all fallen victim to their cunning schemes. The total haul amounts to a mind-boggling $240 million since June! It’s like a never-ending heist movie, with the Lazarus Group as the ultimate super villains.

The United States Federal Bureau of Investigation (FBI) has pointed an accusing finger at the Lazarus Group, linking them to the CoinEx hack and the infamous Stake.com attack. These hackers are leaving their calling card everywhere they go, like modern-day digital pirates marking their territory.

According to a report by 21.co, wallets connected to the Lazarus Group hold a staggering amount of cryptocurrency. Picture this – 1,600 Bitcoin, 10,810 Ether, and 64,490 Binance Coins. It’s like a gigantic treasure chest waiting to be seized by the cyber police, or perhaps some brave hero with a knack for digital justice.

So, my fellow digital investors, be on high alert! Stay vigilant and fortify your defenses because these hackers are relentless. Don’t be like those engineers who fell for the honey-coated tricks of the Lazarus Group. Always double-check, verify, and protect your digital assets like a superhero protecting their secret identity.

Remember, we’re all in this digital adventure together, and with a bit of humor and a lot of caution, we can navigate these treacherous waters. Stay safe, fellow crypto warriors!

What are your thoughts on the Lazarus Group’s latest escapades? Have you ever fallen victim to a cyber attack? Share your stories and let’s spread awareness in the digital world!

We will continue to update Blocking; if you have any questions or suggestions, please contact us!