The relentless pursuit of cryptocurrencies by North Korean hacking groups has taken a new turn with the emergence of a previously unknown malware strain dubbed “Durian.”
According to a report by cybersecurity firm Kaspersky, the notorious Kimsuky hacking group, also known as APT43, has employed this malware in targeted cyber attacks against at least two South Korean cryptocurrency companies.
TLDR
- The North Korean hacker group Kimsuky has deployed a new malware called “Durian” to target South Korean cryptocurrency firms.
- Durian is a multifunctional backdoor malware that enables command execution, file downloads, and data exfiltration.
- The malware exploited legitimate security software specific to South Korean crypto firms to gain initial access.
- There are potential links between Kimsuky and the infamous Lazarus Group, another North Korean hacking entity, suggesting collaboration in targeting the cryptocurrency sector.
- Kimsuky has a history of conducting phishing attacks and targeting aerospace defense companies, taking advantage of events like the COVID-19 pandemic.
Durian, characterized by its multifunctional backdoor capabilities, is a Golang-based malware that enables a range of malicious activities once deployed on a target system.
It allows for command execution, file downloads, and data exfiltration, granting the attackers a comprehensive foothold within the compromised networks.
The initial access to the targeted cryptocurrency firms was gained through the exploitation of legitimate security software specific to South Korean crypto companies.
This tactic demonstrates the group’s ability to identify and leverage vulnerabilities within the industry’s trusted software ecosystem, making the attacks more challenging to detect and mitigate.
Once Durian gained a foothold, it deployed additional tools, including Kimsuky’s backdoor named “AppleSeed” and a custom proxy tool called “LazyLoad.”
The presence of LazyLoad raises suspicions of potential links between Kimsuky and the infamous Lazarus Group, another North Korean hacking entity known for its involvement in high-profile cyber attacks and cryptocurrency heists.
According to Kaspersky’s telemetry, the first compromise occurred in August 2023, followed by a second attack in November of the same year.
Our latest APT trends for Q1, 2024 if now live and includes a look at some of the more interesting APT activities revealed during Q1, including Careto APT reappearance, hacktivist activity, and much more.
Full report ⇒ https://t.co/yTe8mxePF1 pic.twitter.com/37N8ZGliZA
— Kaspersky (@kaspersky) May 9, 2024
This timeline suggests a sustained campaign by Kimsuky, with the potential for further attacks on other cryptocurrency firms in the region or beyond.
Kimsuky, believed to be operating under the auspices of North Korea’s Reconnaissance General Bureau (RGB), the country’s military intelligence agency, has a track record of conducting various phishing attacks and exploiting global events like the COVID-19 pandemic to advance its cyber operations.
In December 2023, the group reportedly disguised itself as South Korean government agency representatives and journalists to steal cryptocurrencies from individuals.
According to police reports, a staggering 1,468 people fell victim to these phishing attacks between March and October 2023, highlighting the group’s sophistication and persistence.
The deployment of Durian represents a concerning development in North Korea’s cyber warfare capabilities, particularly in the realm of cryptocurrency theft.
As digital assets continue to gain mainstream adoption, the risk of state-sponsored hacking groups targeting this sector increases, posing significant threats to individuals, businesses, and the overall integrity of the cryptocurrency ecosystem.
