Elastic catches DPRK passing out KANDYKORN
Contents
Elastic catches DPRK passing out KANDYKORN
Elastic Security Labs exposes an attempt by the DPRK to infect blockchain engineers with novel macOS malware.
Preamble
Elastic Security Labs is disclosing a novel intrusion targeting blockchain engineers of a crypto exchange platform. The intrusion leveraged a combination of custom and open source capabilities for initial access and post-exploitation.
We discovered this intrusion when analyzing attempts to reflectively load a binary into memory on a macOS endpoint. The intrusion was traced to a Python application posing as a cryptocurrency arbitrage bot delivered via a direct message on a public Discord server.
We attribute this activity to DPRK and recognize overlaps with the Lazarus Group based on our analysis of the techniques, network infrastructure, code-signing certificates, and custom Lazarus Group detection rules; we track this intrusion set as REF7001.
Key takeaways
- Threat actors lured blockchain engineers with a Python application to gain initial access to the environment
- This intrusion involved …
Elastic Security Labs exposes an attempt by the DPRK to infect blockchain engineers with novel macOS malware.
Preamble
Elastic Security Labs is disclosing a novel intrusion targeting blockchain engineers of a crypto exchange platform. The intrusion leveraged a combination of custom and open source capabilities for initial access and post-exploitation.
We discovered this intrusion when analyzing attempts to reflectively load a binary into memory on a macOS endpoint. The intrusion was traced to a Python application posing as a cryptocurrency arbitrage bot delivered via a direct message on a public Discord server.
We attribute this activity to DPRK and recognize overlaps with the Lazarus Group based on our analysis of the techniques, network infrastructure, code-signing certificates, and custom Lazarus Group detection rules; we track this intrusion set as REF7001.
Key takeaways
- Threat actors lured blockchain engineers with a Python application to gain initial access to the environment
- This intrusion involved …
IoC
192.119.64.43
23.254.226.90
2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1
5555494485b460f1e2343dffaef9b94d01136320
http://192.119.64.43
http://23.254.226.90
http://bitscrunnch.linkpc.net
http://bitscrunnch.run.place
http://coupang-networks.pics
http://datasend.linkpc.net
http://docsenddata.linkpc.net
http://docsendinfo.linkpc.net
http://exodus.linkpc.net
http://group.pro-tokyo.top//OcRLY4xsFlN/vMZrXIWONw/6OyCZl89HS/fP7savDX6c/bfC
http://jobdescription.linkpc.net
http://jobintro.linkpc.net
http://pesnam.publicvm.com
http://tp-globa.xyz
http://tp-globa.xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
https://drive.google.com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
https://github.com/Prtof
https://github.com/wokurks
23.254.226.90
2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1
5555494485b460f1e2343dffaef9b94d01136320
http://192.119.64.43
http://23.254.226.90
http://bitscrunnch.linkpc.net
http://bitscrunnch.run.place
http://coupang-networks.pics
http://datasend.linkpc.net
http://docsenddata.linkpc.net
http://docsendinfo.linkpc.net
http://exodus.linkpc.net
http://group.pro-tokyo.top//OcRLY4xsFlN/vMZrXIWONw/6OyCZl89HS/fP7savDX6c/bfC
http://jobdescription.linkpc.net
http://jobintro.linkpc.net
http://pesnam.publicvm.com
http://tp-globa.xyz
http://tp-globa.xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
https://drive.google.com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
https://github.com/Prtof
https://github.com/wokurks