Malicious software designed for Apple's macOS is now being used to target individuals within the cryptocurrency community and engineers.
These social engineering attacks deceive community members into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip,' which mimics an arbitrage bot created for automated profit generation.
investograph 
A recently discovered macOS malware linked to the North Korean hacking group Lazarus has reportedly targeted blockchain engineers working for a cryptocurrency exchange platform.
The macOS malware, named "KandyKorn," operates as a stealthy backdoor capable of data retrieval, directory listing, file upload/download, secure deletion, process termination, and command execution, as detailed in an analysis by Elastic Security Labs.
MacOS malweare (REF7001) execution flow. Source: elastic.co
The malware's infection process is explained in the flowchart above. Initially, the attackers distributed Python-based modules through Discord channels, posing as members of the community. They used social engineering techniques to lure community members into downloading a malicious ZIP archive named 'Cross-platform Bridges.zip,' which masqueraded as an arbitrage bot designed for automated profit generation. However, the file imports 13 malicious modules that collaborate to steal and manipulate information. The report noted:
"We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking."
Lazarus primarily targets the cryptocurrency sector for financial gain, rather than espionage, although they have other operational focuses. KandyKorn's existence highlights that macOS is also within Lazarus's scope, demonstrating the group's ability to create sophisticated and inconspicuous malware tailored for Apple computers.
In a related incident, a recent exploit on Unibot, a popular Telegram bot used for trading on the decentralized exchange Uniswap, caused a 40% crash in the token's price within one hour. Blockchain analytics firm Scopescan alerted Unibot users about an ongoing hack, which was later confirmed by an official source. Unibot committed to compensating users who lost funds due to the contract exploit.
