Sugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor - Salim Bitam (Elastic)

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-Sugarcoating-KANDYKORN-a-sweet-dive-into-a-sophisticated-MacOS-backdoor.pdf ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/Sugarcoating-KANDYKORN-a-sweet-dive-into-a-sophisticated-MacOS-backdoor.pdf → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/sugarcoating-kandykorn-sweet-dive-sophisticated-macos-backdoor/ ✪ PRESENTED BY ✪ • Salim Bitam (Elastic) ✪ ABSTRACT ✪ KANDYKORN is a novel MacOS backdoor recently discovered by Elastic Security Labs during an intrusion targeting engineers at a prominent crypto exchange platform. With MacOS devices increasingly becoming prime targets, the discovery of KANDYKORN sheds light on new trends being adopted by cybercriminals and state-sponsored actors. Operating covertly, KANDYKORN employs a feature-rich multi-staged loader paired with a custom network protocol to facilitate a range of post-compromise activities. Its diverse functionality includes capabilities that enable lateral movement and data exfiltration while allowing the adversary to remain under the radar. In this talk, attendees will gain an in-depth understanding of KANDYKORN’s attack chain, its heavily obfuscated loader responsible for loading the backdoor reflectively in memory (a feature atypical in MacOS environments), and its usage of execution flow hijacking to achieve persistence. Through a detailed analysis of its code and behaviour, participants will gain a comprehensive understanding of this versatile malware and its unique network protocol. KANDYKORN serves as a prime example of how mature threat groups are adapting to new techniques and targeting their victims. By leveraging social media platforms like Discord with enticing lures, these actors are finding new paths into highly targeted environments. Additionally, we will discuss our methodology for reversing KANDYKORN, including the development of a custom tool to interact with the malware and build detection mechanisms. This custom tool will be released to the public to raise awareness and promote more detections by providing the ability to emulate the threat in a safe environment.