The landscape of cybersecurity vulnerabilities affecting macOS systems is ever-evolving, prompting Apple to continually release security updates to address these susceptibilities. While macOS is generally perceived as more secure compared to some other operating systems, it is not impervious to exploitation, and hackers are quick to exploit new vulnerabilities as they emerge.
Recently, cybersecurity researchers at Elastic Security Labs have detected active hacker activity aimed at blockchain engineers associated with a cryptocurrency exchange platform. These hackers are employing a new macOS malware to breach their targets. The attack utilizes a combination of custom and open-source tools for initial access and post-exploitation activities.
A Closer Look at REF7001: The New macOS Malware
The discovery of this malware occurred during the analysis of a macOS endpoint. It was brought to light when a Python application disguised as a crypto bot was delivered to a victim via a direct message on Discord, a popular communication platform.
This cyber activity is believed to be linked to the Democratic People’s Republic of Korea (DPRK) and exhibits similarities to the tactics of the Lazarus Group, a notorious hacking collective. In response to these findings, security analysts have labeled this campaign as REF7001, considering various elements such as techniques, infrastructure, certificates, and detection rules.
Identifying Hackers and Their Tactics in Targeting Crypto Exchanges
The hackers behind this campaign adopted a deceptive approach, posing as members of the blockchain community on a public Discord channel. They succeeded in tricking an unsuspecting individual into downloading a ZIP file that was, in reality, a malicious payload. The victim, under the impression that they were downloading a crypto arbitrage bot, inadvertently initiated the initial compromise.
This marked the commencement of the REF7001 malware campaign, which progressed through multiple stages:
Stage 0 (Initial Compromise) – Watcher.py
In this stage, the malware named Watcher.py was responsible for the initial compromise.
Stage 1 (Dropper) – testSpeed.py and FinderTools
The second stage introduced testSpeed.py and FinderTools, which played the role of a dropper.
Stage 2 (Payload) – .sld and .log – SUGARLOADER
Stage 2 introduced the payload, comprising files with the .sld and .log extensions, referred to as SUGARLOADER.
Stage 3 (Loader)- Discord (fake) – HLOADER
This stage involved a loader, specifically a Discord (fake) loader labeled as HLOADER.
Stage 4 (Payload) – KANDYKORN
The final stage, Stage 4, introduced KANDYKORN, which represents the ultimate payload of the malware campaign.
Both Stage 3 and Stage 4 of the malware execution share the use of an encrypted RC4 protocol for communication with the command and control (C2) server, utilizing a consistent encryption key. The malware samples employ encryption to safeguard data during transmission, decrypting it before processing.
During the initialization process, a handshake occurs between the malware and the C2 server. If the handshake fails, the attack is halted.
The communication between the client and the C2 server is a structured process. The client sends a random number to the C2 server, which responds with a nonce. Subsequently, the client computes a challenge and sends it to the server. After the connection is established, the client provides its ID and awaits commands from the server. All data exchanged between the client and the server adheres to a consistent serialization pattern, consisting of length, payload, and a return code to track errors.
The distribution of the initial malware archive involved the hackers sharing a Google Drive link within a blockchain Discord server. This served as a gateway for unsuspecting victims to unknowingly download the malicious payload.
The analysis of REF7001 also revealed the presence of two C2 servers utilized by the attackers:
tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
23.254.226[.]90
The modus operandi of this campaign aligns with the tactics employed by the DPRK’s Lazarus Group, which targets cryptocurrency-related companies in pursuit of stolen coins to evade international sanctions. These threat actors entice blockchain engineers on chat servers with the promise of financial gain, only to infect them when they engage with the malicious payloads. The REF7001 campaign underscores the persistent and evolving threat landscape in the world of cryptocurrency and blockchain technology. Security measures must continuously adapt to thwart such attacks and protect valuable assets.
In conclusion, the detection and analysis of REF7001 highlight the importance of robust security measures and vigilance within the cryptocurrency and blockchain communities, as malicious actors constantly seek new avenues for exploitation. It is imperative for organizations and individuals operating in these domains to remain informed and take proactive steps to safeguard their digital assets and data.
