Malware Wiki

Summary

Sophisticated DPRK malware targeting blockchain engineers on Discord

Class

APT Trojan

Class Summary

Advanced Persistent Threat (APT) Trojans are a form of stealthy malware. They're designed to maintain their presence on your macOS system over extended periods, making detection challenging. These Trojans are often used in targeted attacks, typically by skilled adversaries such as nation-state actors or sophisticated cybercriminal groups. They can steal sensitive data or execute remote commands. If an APT Trojan is detected, it's crucial to consult with a security specialist. Considering the stealth and persistence of APT actors, you might need an overall security audit to ensure complete removal and secure any breached data.

Description

KANDYKORN is a full-featured remote access trojan (RAT) capable of encrypted command and control (C2) communication, system enumeration, data exfiltration, terminating processes, and executing arbitrary system commands or payloads.

This malware was discovered as part of a much larger sophisticated attack where DPRK threat actors targeted blockchain engineers. The attackers deployed a multi-stage malware attack via a fake bot on Discord. The initial compromise involved various malicious Python scripts which downloaded additional malware components. Subsequently the python scripts would act as droppers for the next stage of the malware, which established a connection to a C2 server. An additional stage malware was used after this that employed persistence and defense evasion techniques like reflective binary loading which ultimate lead to the in-memory execution of the KandyKorn malware.

References

https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

Example Hashes

d28830d87fc71091f003818ef08ff0b723b3f358

VirusTotal
43f987c15ae67b1183c4c442dc3b784faf2df090

VirusTotal
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f

VirusTotal