Threat Research

DNS Early Detection – Lazarus KandyKorn – Malicious DNS in the News | Infoblox

Securonix

Infoblox’s DNS Early Detection Program identifies potentially malicious domains at the earliest opportunity, enabling blocking well before OSINT or many threat intel feeds. The Lazarus Group’s KandyKorn campaign illustrates how fast DNS-based detection can disrupt the cyber kill chain and protect assets. #LazarusGroup #KandyKorn #tp-globa.xyz #pro-tokyo.top

Keypoints

  • Infoblox’s DNS Early Detection can identify suspicious domains weeks to months ahead of OSINT publications and some feeds, enabling early block.
  • The Lazarus Group’s KandyKorn RAT targets blockchain engineers on macOS using Python-based tools delivered via social engineering on Discord.
  • attack steps include Stage 0 social engineering, Stage 1 Python execution, Stage 2 DNS-based C2, Stage 3 persistence, and Stage 4 final payload delivery.
  • The C2 domain tp-globa.xyz was identified as suspicious and blocked by Infoblox within 3 days of WHOIS registration, illustrating rapid protection against a critical domain.
  • Related domains (e.g., pro-tokyo.top) were also identified and blocked, underscoring connections across Lazarus campaigns.
  • The campaign employs advanced techniques such as reflective loading to minimize on-disk artifacts and macOS persistence via login items.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Social engineering via Discord delivering a Google Drive link to Cross-Platform Bridges.zip; Stage 0: “Stage 0: Social engineering blockchain engineers via conversations on Discord which loads Watcher.py”
  • [T1082] System Information Discovery – Stage 1: “Watcher.py checks the Python version”
  • [T1105] Ingress Tool Transfer – Stage 1: “testSpeed.py downloads and executes FinderTools”
  • [T1059.006] Python – Stage 1: “Stage 1: Watcher.py checks the Python version and then runs testSpeed.py and acquires FinderTools”
  • [T1071.004] DNS – Stage 2: “FinderTool connects to the C2 malicious domain tp-globa[.]xyz”
  • [T1620] Reflective Loading – Stage 4: “KandyKorn uses reflective loading which is a direct-memory form of execution”
  • [T1547.001] Boot or Logon Autostart – Stage 3: “Apple’s login item monitoring remains unaware of the techniques being used”

Indicators of Compromise

  • [Domain] tp-globa.xyz – C2 DNS domain used by KandyKorn; tp-globa[.]xyz identified and blocked by Infoblox within 3 days of WHOIS date
  • [Domain] pro-tokyo.top – Related malicious DNS domain identified and blocked; WHOIS date July 18, 2023, OSINT July 30, 2023
  • [File Name] Cross-Platform Bridges.zip – ZIP file delivered via Google Drive containing malicious Python app
  • [File Name] Watcher.py – Python script loaded by the app
  • [File Name] testSpeed.py – Script downloaded and executed during Stage 1
  • [File Name] FinderTools – Tool saved at /Users/Shared/FinderTools
  • [File Name] SUGARLOADER – Executable used to locate config for KandyKorn
  • [File Name] HLOADER – Payload downloaded by SUGARLOADER
  • [Malware] KandyKorn – Lazarus Group RAT delivering the final payload and exfiltration capabilities

Read more: https://blogs.infoblox.com/cyber-threat-intelligence/dns-for-early-detection-lazarus-kandykorn/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint