Lazarus used ‘KANDYKORN’ malware in attempt to compromise exchange —Elastic
1 min readLazarus Group used a new form of malware in an attempt to compromise a crypto exchange, according to an October 31 report from Elastic Security Labs.
Elastic has
Once SUGARLOADER was downloaded into the computer, it connected to a remote server and downloaded KANDYKORN directly into the device’s memory. KANDYKORN contains numerous functions that can be used by the remote server to perform various malicious activities. For example, the command “0xD3” can be used to list the contents of a directory on the victim’s computer, and “resp_file_down” can be used to transfer any of the victim’s files to the attacker’s computer.
Elastic believes that the attack occurred in April, 2023. It claims that the program is probably still being used to perform attacks today, stating:
“This threat is still active and the tools and techniques are being continuously developed.”
Centralized crypto exchanges and apps suffered a rash of attacks in 2023. Alphapo, CoinsPaid, Atomic Wallet, Coinex, Stake and others have been victims of these attacks, most of which seem to have involved the attacker stealing a private key off the victim’s device and using it to transfer customers’ cryptocurrency to the attacker’s address.
The US Federal Bureau of Investigation (FBI) has accused the Lazarus Group of being behind the Coinex hack, as well as performing the Stake attack and others.