Novel macOS malware launched by North Korean hackers

New KANDYKORN macOS malware has been deployed by threat actors linked to North Korea's Lazarus Group in attacks against an unspecified cryptocurrency exchange's blockchain engineers since April, reports The Hacker News. Attackers spoofed engineers on Discord to distribute a Python application purporting to be an arbitrage bot, which facilitated the retrieval of Python files that execute the SUGARLOADER second-stage payload, which then fetches and executes KANDYKORN remote access trojan, a report from Elastic Security Labs showed. Aside from facilitating file enumeration and data exfiltration, KANDYKORN could also enable additional malware execution, process termination, and arbitrary command execution. "KANDYKORN is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections," researchers added. The report comes after recent attacks by North Korean threat cluster Kimsuky, also known as APT43, were noted by S2W Threat Analysis researchers to have involved updated FastViewer malware.