Elastic Security Labs revealed that a North Korean hacker group known as Lazarus employed a Python program disguised as a cryptocurrency arbitrage bot. They distributed this program through a private message on a public Discord server. They used a new kind of malware called “KANDYKORN” to target these engineers through Discord, a messaging platform.
The intrusion was first noticed when it detected an attempt to load a computer program into memory on a Mac computer. After investigating, it stated that the attack started with a Python application pretending to be a cryptocurrency trading bot, which was sent as a direct message on a public Discord server.
“The victim believed they were installing an arbitrage bot, a software tool capable of profiting from cryptocurrency rate differences between platforms,” the researchers said.
The group behind this attack is from North Korea (DPRK) and has also found similarities with another hacking group known as the Lazarus Group. These similarities include the techniques used, the network infrastructure, the certificates used to sign the malicious software, and custom methods of detecting Lazarus Group activities. They have given this specific intrusion the name REF7001 for tracking purposes.