How DPRK and Lazarus Group Hackers Use Malware to Attack Blockchain Engineers

Elastic Security Labs has identified a unique intrusion malware that specifically targets blockchain engineers cryptocurrency exchange platforms.

This attack employs a blend of deceptive tactics and conventional tools to gain unauthorised access to computer systems and extract sensitive data.

The use of this cyber intrusion tool was detected during an investigation into the background activity of a Macintosh computer.

The attack was initiated through a counterfeit program masquerading as a cryptocurrency profit-generating tool, distributed via direct messages on Discord.

Attributed to a group believed to be operating from Democratic People’s Republic of Korea (DPRK) i.e. North Korea, it shares significant resemblances with the Lazarus Group, based on the analysis of methodologies, network structures, digital certificates, and unique detection measures related to the Lazarus Group.

Elastic has named this specific form of intrusion as “REF7001.”

It all started rather simply.

Malicious actors assumed false identities within a Discord group dedicated to discussions on cryptocurrency-related software.

As with most malware, they manipulated an unsuspecting individual into downloading a seemingly innocuous file, which, in reality, harboured malicious code.

The victim was under the impression that they were acquiring a cryptocurrency arbitrage bot, which was capable of detecting rate differences between exchanges and profiting from the variances.

Upon opening this file, the primary phase of the attack, known as “KANDYKORN,” was initiated.

To execute the attack, the victim was required to run the a program through a specific software interpreter.

Initially, the original program appeared innocuous as it imported other files and executed seemingly routine operations.

The user unknowingly played a crucial role in this program, participating in seemingly routine actions that were, in fact, essential to the attack’s success.

Subsequent to the victim’s execution of this program, the REF7001 attack unfolded through five discrete stages.

Stage 1 – Preparation:

The original program will discretely run another program. This particular program will assess the computer’s environment and prepare it for the next phase of attack.

Stage 2 – Loading Additional Malware:

Once the computer’s environment has been ascertained, two other files that are intermediary Python scripts, will download and run a program known as “SUGARLOADER.”


This program will execute further clandestine operations. and facilitate the loading of the final stage, “KANDYKORN.”

Stage 4 – Camouflage as Discord:

A file named “HLOADER/Discord(fake)” will then pretend to be the legitimate Discord program. It served as a ruse to maintain the presence of the deceptive program “SUGARLOADER” on the victim’s system.

Stage 5 – “KANDYKORN”

Once infiltrated, KANDYKORN will possesses a wide range of capabilities. It can receive discrete commands, such as downloading from another computer. It will also be able to check the computer’s details, send and receive information to another computer, even grant control of the computer to another terminal. In short, a complete breach.

Elastic traces the campaign back to April 2023.

They did this by analysing the encryption key employed for securing the SUGARLOADER and KANDYKORN C2 communications.

The threat remains active, and apparently continues to undergo evolution in both tools and techniques.

Lazarus is a well-known North Korean cryptocurrenc cyberespionage group.

They have a history dating back to at least 2009.

Due to sanctions surrounding the DPRK, their objective is to pilfer cryptocurrency – since the use of the digital currency helps them evade such international sanctions.

North Korean hackers have purportedly stolen approximately $3.5 billion from cryptocurrency projects since 2016, based on reports from blockchain forensics firm Chainalysis on September 14.

It is speculated by the UN that the stolen funds are being used to support North Korea’s nuclear missile program.

Coinlive previously reported on how the Lazarus Group was using LinkedIn to infect computers with malware.

* Original content written by Coinlive. Coinbold is licensed to distribute this content by Coinlive.

Coinlive is a media company that focuses on Making Blockchain Simpler for everyone. We cover exclusive interviews, host events, and feature original articles on our platforms


Latest news

Upcoming Events