Key Takeaways:
- Novel Malware Deployment: Kimsuky, a North Korean hacking collective, has introduced a new malware named “Durian” targeting South Korean cryptocurrency firms, leveraging disguises as legitimate security applications to infiltrate systems.
- Complex Attack Framework: Durian operates by initially acting as an installer for further malicious programs including the backdoor “AppleSeed,” the proxy tool “LazyLoad,” and potentially other espionage tools like Chrome Remote Desktop.
- Broader Cyber Threat Landscape: The deployment of Durian by Kimsuky is linked with Andariel, suggesting collaborations or shared tactics among North Korean hacking factions, highlighting extensive vulnerabilities and significant financial losses in the crypto sector.
The North Korean hacking collective known as Kimsuky has deployed a novel malware, referred to as “Durian,” in attacks against South Korean cryptocurrency firms, as detailed in a recent threat assessment by cybersecurity experts at Kaspersky.
This sophisticated malware was used to target at least two firms, leveraging security software specifically utilized by these companies.
According to the May 9 report from Kaspersky, Durian malware infiltrates systems through a persistent attack method, using the guise of legitimate security applications.
This malware functions as an installer, setting the stage for a cascade of malicious programs, including a backdoor called “AppleSeed,” a custom proxy tool named “LazyLoad,” and other tools such as Chrome Remote Desktop.
Kaspersky describes Durian’s capabilities: “Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.”
The investigation also uncovered connections between the use of LazyLoad by Kimsuky and Andariel, a subgroup of the infamous North Korean hacking group Lazarus, hinting at possible collaborations or shared techniques between these formidable cyber adversaries.
The Lazarus Group, which first came to prominence in 2009, is one of the most prolific hacking groups in the crypto space.
Recent findings by independent blockchain investigator ZachXBT indicated that Lazarus had laundered more than $200 million from illicit cryptocurrency activities between 2020 and 2023.
Cumulatively, Lazarus is implicated in thefts totaling over $3 billion over the past six years, with $309 million stolen in 2023 alone, making up 17% of that year’s total crypto losses.
These revelations highlight the ongoing vulnerabilities in the crypto industry, which saw losses exceeding $1.8 billion due to hacks and exploits in 2023, based on a report from Immunefi dated December 28.