North Korean state-backed hackers are using a new malware variant called “Durian” to attack South Korean cryptocurrency firms. The hacking group known as Kimsuky has been identified as the perpetrator behind these sophisticated cyberattacks, which have already targeted at least two firms in the region.
Introduction of Durian Malware
According to a recent threat analysis released on May 9 by the cybersecurity firm Kaspersky, Kimsuky executed the attacks through a persistent approach, exploiting legitimate security software unique to South Korean crypto firms. Durian serves as an installer for a suite of malicious tools, including a backdoor named “AppleSeed,” a custom proxy tool “LazyLoad,” and the use of legitimate utilities like Chrome Remote Desktop.
Capabilities of Durian
Kaspersky’s report highlights that Durian offers extensive backdoor functionalities, which include executing commands, downloading additional files, and extracting sensitive data from the infected systems. This enables the attackers to maintain sustained access to the targeted networks and carry out further malicious activities undetected.
Also Read: wBTC Hacker Returns All Stolen Funds After Negotiations
Interestingly, the use of LazyLoad by Kimsuky suggests potential links to Andariel, a subgroup of the notorious Lazarus Group, another North Korean hacking entity. This connection underlines the collaboration or shared resources among different North Korean cybercriminal groups.
Background on Lazarus Group’s Activities
Lazarus Group, active since 2009, is infamous for its involvement in numerous high-profile cyber thefts, particularly targeting cryptocurrency assets. Independent blockchain analyst ZachXBT reported that Lazarus laundered over $200 million in stolen crypto from 2020 to 2023. In total, it’s estimated that Lazarus Group has expropriated over $3 billion in crypto assets over the past six years.
In 2023 alone, Lazarus was responsible for stealing approximately 17% of all stolen funds, which equates to over $309 million. According to a December 28 report by Immunefi, the cryptocurrency sector saw losses exceeding $1.8 billion due to hacks and exploits last year.
The introduction of the Durian malware by Kimsuky marks a significant escalation in the cyber threat landscape, particularly for cryptocurrency firms in South Korea, emphasizing the need for enhanced security measures and vigilance among companies operating in the crypto space.
