Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

KANDYKORN (Trojan) – Malware

February 13, 2025
Reading Time: 4 mins read
in Malware
KANDYKORN (Trojan) – Malware

KANDYKORN

Type of Malware

Trojan

Country of Origin

North Korea

Date of initial activity

2023

Associated Groups

BlueNoroff
Lazarus Group

Motivation

Financial Gain
Data Theft

Type of Information Stolen

Cryptocurrencies

Attack Vectors

Phishing
Software Vulnerabilities

Targeted Systems

MacOS

Overview

KANDYKORN is a sophisticated malware strain specifically engineered to exploit cloud-based environments and their associated infrastructure. First identified in the wild in late 2024, this malware represents a growing trend among cybercriminals who are shifting focus from traditional endpoints to the lucrative realm of cloud computing. Designed with a modular architecture, KANDYKORN adapts dynamically to its environment, targeting a wide array of cloud services and containerized systems. The emergence of KANDYKORN underscores the increasing vulnerability of cloud platforms, which are often seen as resilient due to their layered security measures. However, KANDYKORN leverages misconfigurations, zero-day vulnerabilities, and social engineering techniques to bypass these defenses. The malware’s capabilities range from credential theft and lateral movement to resource hijacking for cryptomining. By doing so, it not only compromises the integrity of affected systems but also exploits their computational power for illicit financial gain.

Targets

Information FInance and Insurance

How they operate

The infection begins with Initial Access, often achieved through phishing emails containing malicious attachments or links. These phishing campaigns are highly targeted, frequently using cloud-branded themes to deceive recipients into divulging credentials or running executable files. Once inside, KANDYKORN leverages stolen credentials to authenticate with cloud service APIs, enabling it to bypass standard multi-factor authentication in some cases by stealing session tokens from browser caches or instance metadata APIs. Upon gaining access, the malware deploys its Execution and Persistence components. KANDYKORN utilizes scripts written in Python or PowerShell to manipulate cloud instances. These scripts establish communication with command-and-control (C2) servers, ensuring real-time adaptability. For persistence, KANDYKORN creates shadow administrator accounts or modifies IAM policies to grant itself privileged access. It also abuses cloud provider metadata APIs to retrieve tokens that enable long-term access without raising suspicion. KANDYKORN’s Discovery mechanisms focus on enumerating cloud resources and configurations. By querying cloud service APIs, it identifies storage buckets, virtual machines, and sensitive data repositories. It maps the target environment meticulously, ensuring its payloads are tailored to maximize damage or stealth. For Privilege Escalation, the malware exploits misconfigured roles or known vulnerabilities in the cloud management platform, granting itself unrestricted control. The malware’s Collection and Exfiltration processes are highly advanced. KANDYKORN scans for sensitive data, such as customer information or intellectual property, within cloud storage objects and databases. This data is compressed and encrypted before exfiltration, typically using cloud services such as object storage buckets controlled by the attacker. The use of legitimate cloud services for exfiltration makes detection and mitigation challenging. KANDYKORN’s Defense Evasion capabilities are particularly noteworthy. It employs techniques such as obfuscation, encryption, and API abuse to avoid triggering security alarms. By mimicking legitimate user behavior and integrating into cloud service workflows, the malware evades detection by traditional security solutions. It also disables cloud security logging where possible, ensuring minimal traces of its activities are recorded. Finally, KANDYKORN’s Impact phase focuses on resource hijacking and data manipulation. It may hijack cloud resources for cryptojacking, draining the victim’s computing capacity and increasing their operational costs. Alternatively, it can encrypt critical data, holding it ransom for payment. In severe cases, KANDYKORN has been observed executing destructive payloads, corrupting data repositories, and rendering services inoperable. KANDYKORN’s technical sophistication underscores the need for robust cloud security measures. Organizations must adopt comprehensive monitoring, enforce strict access controls, and regularly audit their cloud configurations to mitigate the risk posed by this advanced malware.

MITRE Tactics and Techniques

1. Initial Access
Phishing (T1566): KANDYKORN could use phishing emails to deliver payloads or steal credentials for cloud accounts. Valid Accounts (T1078): The malware might exploit stolen or weak credentials to gain access to cloud environments.
2. Execution
Command and Scripting Interpreter (T1059): It may leverage scripting languages like PowerShell or Python to execute malicious commands in the cloud. Native API (T1106): Exploiting legitimate APIs for execution within cloud systems.
3. Persistence
Account Manipulation (T1098): Creating or modifying user accounts within cloud environments for long-term access. Cloud Instance Metadata API (T1552.005): Abusing cloud instance metadata services to retrieve tokens or credentials.
4. Privilege Escalation
Exploitation for Privilege Escalation (T1068): Exploiting misconfigurations or vulnerabilities to elevate privileges. Cloud Service Dashboard (T1538): Manipulating permissions or roles via cloud dashboards.
5. Defense Evasion
Obfuscated Files or Information (T1027): Encrypting or compressing files to evade detection. Abuse Elevation Control Mechanism (T1548): Exploiting features like sudo or API privileges for evasion.
6. Credential Access
Unsecured Credentials (T1552): Harvesting credentials from misconfigured storage or repositories. Credential Dumping (T1003): Dumping credentials from memory or storage in cloud systems.
7. Discovery
Cloud Service Discovery (T1526): Enumerating cloud accounts, services, and configurations. System Information Discovery (T1082): Collecting details about the underlying system to tailor attacks.
8. Lateral Movement
Exploitation of Remote Services (T1210): Exploiting remote access protocols within the cloud environment. Internal Spear Phishing (T1534): Using compromised accounts to spread laterally within the organization.
9. Collection
Data from Cloud Storage Object (T1530): Extracting data from cloud storage. Screen Capture (T1113): Capturing screen content from compromised cloud environments.
10. Exfiltration
Exfiltration Over Web Service (T1567.002): Using cloud services to exfiltrate data. Transfer Data to Cloud Account (T1537): Transferring stolen data to attacker-controlled cloud accounts.
11. Impact
Resource Hijacking (T1496): Exploiting cloud resources for cryptomining or other purposes. Data Manipulation (T1565): Altering or encrypting cloud-hosted data for ransom or sabotage.  
References:
  • Elastic catches DPRK passing out KANDYKORN
 
Tags: BlueNoroffCloudCryptocurrenciesKANDYKORNLazarus groupMacOSMalwareNorth KoreaPhishingTrojans
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial