This new macOS malware could leave you severely short-changed

cyber, attack, hacked word on screen binary code display, hacker
(Image credit: Shutterstock/supimol kumying)

The North Korean hacking collective Lazarus Group is back at it again, targeting blockchain engineers with advanced data exfiltration and remote code execution-capable trojans.

A report from researchers Elastic Security observed a new attack that originated on Discord and targeted the cryptocurrency community. By deploying a simple social engineering strategy, the attackers try and convince the victim to download a file named “Cross-platform Bridges.zip”, thinking it’s an arbitrage bot.

Arbitrage bots are usually legitimate pieces of code that allow users to automate buying crypto on one exchange and selling it on another where the price is slightly different. The changes in the prices are minuscule, but with automation and a hefty sum to get going, some people claim the bots work well. Usually, the bots can be purchased for tens of thousands of dollars. 

State-sponsored threat actors

But obviously, the victims wouldn’t be getting the bot. Instead, they’d get the KandyKorn malware, built for the macOS and capable of a number of things, including gathering system information, listing directory contents, downloading and running files on the victim’s endpoint, deleting files, killing processes, stealing files, and more.

The malware was built by the infamous Lazarus Group, the researchers allege, basing these claims on code and campaign overlaps with previous instances that were attributed to the North Koreans.

Lazarus is a known group, with strong ties with the North Korean government. Allegedly, it was behind some of the biggest crypto heists in history, including the attack on the Ronin bridge, which left the protocol some $600 million short. The stolen money is being used to fund the North Korean government and its nuclear program, western intelligence agencies claim.

This group is also well-known for running fake job schemes, tricking developers into downloading malware during the “hiring” process.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.