CTI Roundup: Hackers Target Crypto Experts with KANDYKORN Malware

In this week’s roundup CTI investigates the latest activity from North Korea’s Lazarus Group, which includes repeatedly compromising an unnamed software vendor and deploying multiple malware families. Next CTI sheds light on Prolific Puma, a DNS threat actor that has been operating in the shadows for several years. CTI wraps things up with a look at a North Korean threat actor that overlaps with the Lazarus Group and is now targeting blockchain engineers at a crypto exchange platform with a new macOS malware.

1. Lazarus Group targets a software vendor

North Korea’s Lazarus Group has been observed repeatedly compromising an unnamed software vendor. The group was able to exploit vulnerabilities despite the availability of multiple patches and warnings. The attackers used several evasion techniques and deployed multiple malware families.

Attack overview

According to SecureList, the vendor had previously fallen victim to Lazarus Group numerous times. The recurring breach indicates a persistent threat actor with a potential supply chain attack in mind.

The SIGNBT malware used in the attack employed a diverse infection chain and sophisticated techniques. The threat actor also leveraged LPEClient to execute a range of targeted attacks.

About SIGNBT loader

In July 2023, SecureList detected a series of attacks on several victims that were targeted through legitimate security software designed to encrypt web communications via digital certificates.
In one instance, SecureList discovered the SIGNBT malware and shellcode, which was responsible for launching a Windows executable file directly in memory. The threat actor used different tactics for persistence during the attack and multiple methods for loading the final SIGNBT payload. The threat actor primarily used DLL sideloading to deliver SIGNBT.

SIGNBT malware: An overview

Most SIGNBT malware instances are launched from the malware loader, which operates in memory.

Once executed it begins communicating with the C2 server, sending a beacon after initializing its configuration data. Its communication uses distinctive strings that start with SIGNBT, hence the malware’s name. The malware creates a 24-byte value and generates an additional 24 bytes of random data that are XORed together. The encoded values are combined with either three or seven randomly generated HTTP parameter names, making it more challenging to detect and analyze its communications. The malware contains an extensive set of functionalities that can be performed based on instructions from the C2.

Some of the commands supported by SIGNBT include:

• CCBrush: Handles functionalities like getting information about the system, testing connectivity, and configuring settings.
• CCList: Manages processes including obtaining a list of running processes, killing processes, running files, and DLL manipulations.
• CCComboBox: Works with the file system, such as obtaining lists of drives, changing file properties, and creating new folders.
• CCButton: Downloads and uploads files, loads into memory, and captures the screen.
• CCBitmap: Implements commonly used Windows commands and utilities.

LPEClient

The actor has been observed delivering tools like LPEClient and credential-dumping utilities. The LPEClient malware isn’t new, having been discovered in 2020. It collects information about victims and downloads additional payloads from a remote server to run in memory.

According to SecureList, this malware has undergone significant evolution since its discovery. It now leverages advanced techniques to improve its stealth and evade detection, such as disabling user-mode syscall hooking and restoring system library memory sections.

LPEClient has been previously used in Lazarus Group attacks. This malware repeatedly serves as the initial infection vector to enable victim profiling and deliver additional payloads.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This latest report reiterates just how determined and persistent the Lazarus Group can be, attacking the same company repeatedly to facilitate a supply chain attack.

It’s clear that the group is committed to remaining one of the top threat actors. During their repeated attempts to compromise the same software company, they relied heavily on the exploitation of vulnerabilities that had a patch released — further demonstrating the importance of timely patching.

2. Link shortening service abuses the .US top-level domain

Researchers are actively tracking a DNS threat actor named Prolific Puma, which creates domain names using a registered domain generation algorithm (RDGA) and uses them to provide a link-shortening service to other threat actors for phishing and other malicious activities. The link-shortening service heavily abuses the .US top-level domain (TLD).

What is Prolific Puma?

Prolific Puma is playing a small role within the cybercriminal supply chain by enabling other cybercriminals to conduct malicious activities. The group algorithmically generates large volumes of domains and uses them to generate shortened links. Other threat actors use these links to hide their activity.

Researchers found reports of Prolific Puma’s link-shortening services dating back to January 2020. The shortened links are primarily sent to victims via text messages. However, they could also be used in other contexts.

Detection and domain name characteristics

Infoblox aggregated passive DNS query logs along with other data sources to run a series of analytics on newly queried, registered, or configured domains. This enabled them to characterize the domains, flagging some as suspicious and assigning some to a particular DNS threat actor. They deployed algorithms for RDGA discovery earlier this year, identifying Prolific Puma domains in groups.

The connection between Prolific Puma domains and the true final landing pages is indirect. The malicious traffic is divided across the redirect domains at low volumes, and results in some of the domains having a “good” reputation through strategic aging.

Prolific Puma has registered between 35,000 to 75,000 unique domains since April 2022, with roughly 43 new domains being observed each day. The actor primarily uses NameSilo as their domain name registrar and strategically ages the domains before starting to host their service with anonymous providers. The actor is constantly abusing the .US TLD, and is known to register both new and dropped domains.

The domains are alphanumeric, pseudo-random, and typically between three and four characters long. The domains are also registered across 12 TLDs, with roughly 55% registered with .US.

Abuse of the .US TLD

Only US citizens and US-affiliated businesses are eligible to register .US domains. To register a .US domain with NameSilo you must have an email address and select a category that notates your relationship with the US. Prolific Puma has been observed selecting the “US citizen” category.

The registrant must also provide a name, address, and phone number — none of which appear to be verified during the process. This is an ongoing problem for many TLDs as it is difficult for a registrar to regulate domains.

How Prolific Puma uses strategic aging

DNS threat actors are similar to malware threat actors but leave very little information to work with in DNS and domain registration records. Prolific Puma prefers using private domain registration but still relies heavily on us TLD registrations that are required to be public.

The actor will leave the domain unused or parked for several weeks after registration, a technique that is known as strategic aging. This is done with intent, as many phishing attacks are tied to newly registered domains and some companies will block access to newly registered domains in response to this. During this aging process, the threat actor will make a few DNS queries to gain a good reputation for the domain.

It appears that Prolific Puma provides a service to other threat actors and the final landing pages are not in their control — though it is possible. It also remains unclear how Prolific Puma is advertising its services, and how its users receive the shortened URL.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Researchers often spend a lot of time looking at the start and end point of a malicious campaign, i.e. the landing page. What we’re seeing with Prolific Puma is the middle layer of the broader cybercriminal supply chain, and how these DNS threat actors can further enable other cybercriminals in their endeavors. This is what makes Prolific Puma and its link shortening service so interesting.

3. Hackers target crypto experts with KANDYKORN malware

North Korean threat actors are now targeting blockchain engineers at a crypto exchange platform with a new macOS malware called KANDYKORN.

The activity, which stretches back to April 2023, involves a combination of custom and open-source capabilities and overlaps with the Lazarus Group.

The execution flow

In this example, the threat actors began by impersonating blockchain engineering community members on a public Discord server. The actor then used social engineering to convince victims to download and decompress a ZIP archive of malicious code — leading the victim to believe they are installing an arbitrage bot, or a software tool used to profit from cryptocurrency rate differences between platforms.

The attack chain ultimately results in the distribution of KANDYKORN malware.

• Stage 1 droppers: testSpeed.py and FinderTools are two droppers used in the first stage of the attack.

testSpeed.py establishes an outbound connection and fetches an additional Python file from a Google Drive URL (FinderTools). testSpeed.py will then save and launch this new file.

FinderTools is yet another dropper and will download and execute a hidden second-stage payload (.sld).

• Stage 2 payload: This stage involves executing an obfuscated binary named SUGARLOADER. This binary is used twice under two separate names including .sld and .log. It is used for initial access on the machine and again for initializing the environment for the final stage. Its primary purpose is to connect to a C2 server to download and execute the final stage payload, KANDYKORN.

SUGARLOADER will ensure the config file exists, is read into memory, and is decrypted before establishing a connection to the remote server. Its last step is to download the final stage payload from the C2 server and execute. This actor takes advantage of a technique known as reflective binary loading, which can be used to execute a payload from an in-memory buffer. SUGARLOADER reflectively loads the KANDYKORN binary.

• Stage 3 loader Discord: During this stage of the attack, a payload called HLOADER attempts to masquerade as the legitimate Discord application. It was identified using a macOS binary code signing technique that was previously linked to the Lazarus Group’s 3CX intrusion.

For persistence, the actor leverages execution flow hijacking. The loader’s main purpose is to execute the legitimate Discord bundle along with the .log payload from earlier, which is used to execute Mach-O binary files from memory.

• Stage 4 KANDYKORN: KANDYKORN is the last stage of the execution chain and is equipped with a full-featured set of capabilities to access and exfiltrate data.

Its processes are forked and run in the background as daemons before loading their config file. After establishing communication, KANDYKORN will wait for commands from the C2 server instead of polling for commands. Some of its available commands include collect information, transfer files, archive a directory and exfiltrate, overwrite and delete files, kill processes, spawn a shell, download a new config file, and more. A full list of its accepted commands can be found Elastic’s report.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This is not the first time a group associated with Lazarus has leveraged macOS malware. However, it does indicate that the threat actor may be starting to emphasize macOS malware.
While this attack appears to be specifically targeting the crypto industry, many of the other TTPs are not unique and therefore may appear again in the future.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.