Elastic catches DPRK passing out KANDYKORN — Elastic Security Labs

MITRE Techniques

• [T1566.003] Spearphishing via Service – The intruders social-engineered victims on Discord to download a ZIP; quote: “Attackers impersonated blockchain engineering community members on a public Discord frequented by members of this community. The attacker social-engineered their initial victim, convincing them to download and decompress a ZIP archive containing malicious code.”
• [T1105] Ingress Tool Transfer – The threat framework downloads and writes payloads from Google Drive; quote: “Utilizing the Python urllib library, the script fetches content from this URL and stashes it in the s_args variable.”
• [T1059.006] Python – Initial access and execution flow rely on Python scripts executed by the user; quote: “The victim manually ran the Main.py script via their PyCharm IDE Python interpreter.”
• [T1620] Reflective Code Loading – Final payload (KANDYKORN) is loaded in memory via reflective loading; quote: “Reflective loading is a powerful technique. If you’d like to learn more about how it works, check out this research by slyd0g and hackd.”
• [T1027] Obfuscated/Compressed Files and Information – SUGARLOADER is obfuscated with a binary packer to hinder static analysis; quote: “SUGARLOADER is used for initial access on the machine, and initializing the environment for the final stage. This binary is obfuscated using a binary packer, limiting what can be seen with static analysis.”
• [T1574] Hijack Execution Flow – Persistence via hijacking macOS Discord, replacing the legitimate binary with HLOADER; quote: “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking. The target of this attack was the widely used application Discord.”
• [T1116] Code Signing – HLOADER uses a self-signed Mach-O signature to appear legitimate; quote: “The code signature information for HLOADER, which has a self-signed identifier structure consistent with other Lazarus Group samples.”
• [T1036] Masquerading – Legitimate Discord applications are renamed/masked to hide malicious activity; quote: “The legitimate binary /Applications/Discord.app/Contents/MacOS/Discord was renamed to .lock, and replaced by HLOADER.”
• [T1547] Boot or Logon Autostart – Discord is configured as a login item to launch at boot, enabling persistence; quote: “The Discord application is often configured by users as a login item and launched when the system boots, making it an attractive target for takeover.”
• [T1059] Command and Scripting Interpreter (Python) – The chain relies on Python scripts executed under user control; see above for Python usage.