 |
The cybersecurity researcher, in a recent disclosure, unveiled a highly sophisticated intrusion identified as REF7001, targeting blockchain engineers within a cryptocurrency exchange platform. This attack utilized a clever combination of custom and open-source capabilities, exploiting a Python application posing as a cryptocurrency arbitrage bot distributed via a public Discord server.
The intrusion's discovery stemmed from an investigation into attempts to load a binary into memory on a macOS system, revealing a series of meticulously crafted stages that collectively led to the intrusion. This elaborate execution flow was broken down into distinct stages:
Stage 0 - Initial Compromise: Initiated by a Python application named 'Watcher.py' camouflaged within a file named 'Cross-Platform Bridges.zip'. This script laid the groundwork for subsequent malicious actions.
Stage 1 - Droppers: Progressed with the execution of 'testSpeed.py' and 'FinderTools', establishing outbound network connections and downloading additional malicious files.
Stage 2 - Payload: Introduced 'SUGARLOADER', an obfuscated binary responsible for initial access and setting the stage for the final payload, 'KANDYKORN'.
Stage 3 - Loader Discord: Involved 'HLOADER', masquerading as the legitimate Discord application, ensuring persistence on the victim's system.
Stage 4 - Payload 'KANDYKORN': Represented the final stage with comprehensive capabilities for data access and exfiltration.
Highlighted in the analysis were various technical aspects:
Use of obfuscation and binary packing to bypass traditional signature-based antimalware capabilities.
Utilization of reflective loading for direct-memory execution, evading traditional detection methods.
An elaborate network protocol for communication between the victim's system and the Command and Control server.
The cybersecurity researcher's investigation led to the identification and linking of various domains and IPs involved in the attack. Notable entities included 'tp-globa[.]xyz' and '23.254.226[.]90', demonstrating connections to prior DPRK-Lazarus Group campaigns.
#Follow for #cybersecurity #insights 📰 and more 🌍
Source: Learn More
#news #cybernews #lazarus