A new hacking method continues to emerge in the blockchain ecosystem, causing significant security concerns and a loss of trust in an area that has attracted the attention of many investors. According to Elastic Security Labs, a new malicious software associated with the North Korean hack group Lazarus has been detected in Apple’s macOS system.
New Attack Method Draws Attention
According to a research conducted by Elastic Security Labs, the macOS malware called KandyKorn possesses dangerous features such as data retrieval, directory listing, file upload or download, secure deletion, process termination, and command execution.
The above flowchart explains the steps taken by the malware to infiltrate targeted users’ computers and obtain their data. Hackers initially aim to distribute Python-based modules by impersonating the identities of community members through Discord channels.
Social hack attacks encourage Web3 community members to download a malicious ZIP file named ‘Cross-platform Bridges.zip’ that masquerades as an arbitrage bot designed to automatically generate profits. However, the file injects 13 malicious modules that work together to steal information and seize data. The report published by Elastic Security states:
“We observed that the threat actor adopted a technique known as process hijacking, which we have not seen them use before to persist on macOS.”
Lazarus Targets Cryptocurrencies
The cryptocurrency sector continues to be the primary target for the North Korean hack group Lazarus. This hacking group is primarily motivated by financial gains obtained through hack attacks rather than global espionage, their other main focus.
The presence of the KandyKorn virus demonstrates that macOS is within Lazarus’ scope, showcasing the threat group’s exceptional ability to produce specially designed and discreet malicious software for Apple computers.
A recent vulnerability in the contracts of Unibot, a popular Telegram bot used for trading on the decentralized cryptocurrency exchange Uniswap, caused a 40% drop in token price within an hour. Blockchain analysis firm Scopescan issued a warning about an ongoing attack:
“We experienced a token approval exploit from our new router and have halted the router to contain the issue.”
