Elastic catches DPRK passing out KANDYKORN
2023-11-01 • Elastic •
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn
Elastic Security Labs attributes REF7001 to DPRK activity with Lazarus Group overlaps and describes an intrusion against blockchain engineers at a cryptocurrency exchange platform. The operators posed as members of a blockchain engineering community on Discord and persuaded a victim to run a ZIP file named Cross-Platform Bridges.zip, which appeared to contain a cryptocurrency arbitrage bot. A Python module named Watcher.py retrieved code from Google Drive, wrote and executed testSpeed.py, then launched FinderTools from /Users/Shared to download a hidden second-stage payload. The macOS chain progressed through SUGARLOADER, Discord-based persistence with a renamed .log component, HLOADER, and the KANDYKORN payload, with multiple stages using defense evasion and in-memory loading.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 2360a69e5fd7217e977123c81d3dbb6… | 2023-11-01 | 2025-12-31 |
| IPv4 | 23.254.226.90 | 2023-11-01 | 2024-09-09 |
| DOMAIN | tp-globa.xyz | 2023-11-01 | 2023-11-27 |
| IPv4 | 192.119.64.43 | 2023-11-01 | 2023-11-27 |
| HASH | 5555494485b460f1e2343dffaef9b94… | 2023-11-01 | 2023-11-01 |
| DOMAIN | docsenddata.linkpc.net | 2023-11-01 | 2023-11-01 |
| DOMAIN | jobintro.linkpc.net | 2023-11-01 | 2023-11-01 |
| DOMAIN | bitscrunnch.linkpc.net | 2023-11-01 | 2023-11-01 |
| DOMAIN | docsendinfo.linkpc.net | 2023-11-01 | 2023-11-01 |
| DOMAIN | pesnam.publicvm.com | 2023-11-01 | 2023-11-01 |
| DOMAIN | jobdescription.linkpc.net | 2023-11-01 | 2023-11-01 |
| DOMAIN | exodus.linkpc.net | 2023-11-01 | 2023-11-01 |
| DOMAIN | datasend.linkpc.net | 2023-11-01 | 2023-11-01 |