According to reports, the North Korean hacker gang known as Kimsuky has been making use of a newly developed malware version known as “Durian” in order to perform targeted attacks against South Korean cryptocurrency companies.
The incident is noted in a threat intelligence report that was only recently published by Kaspersky. The research conducted by Kaspersky indicates that the virus is specifically designed to crack and exploit the security software that is utilized by South Korean crypto businesses, of which at least two have been identified.
Following the analysis of our data, we were able to identify two victims operating within the bitcoin industry in South Korea. The initial compromise took place in August 2023, and then a second one took place in November of the same year.
“It is important to note that our investigation did not uncover any additional victims during these incidents, which indicates that the actor took a highly targeted approach,” the study stated.
Malware known as Durian is an example of an “initial-stage” installation. It does this by introducing further malware and establishing a method for persistence within the device or instance that it assaults. After being executed, the malicious software will produce a stage loader and then add it to the operating system that is exposed so that it can be executed automatically. The installation of the malicious software is completed with a concluding payload that is written in Golang, which is an open-source programming language developed by Google.
Following this, the final payload makes it possible to execute remote commands that tell the infected device to download and exfiltrate files. Due to the fact that Golang is efficient for networked machines and huge codebases, the choice of language is also questionable.
It is interesting to note that the research from Kaspersky also disclosed that Andariel, a sub-group inside the notorious North Korean hacking consortium Lazarus Group, has utilized LazyLoad, which is one of the techniques that Durian has deployed. Although Kaspersky defined the connection as “tenuous” at best, this study indicates that there may be a stronger connection between Kimsuky and Lazarus than was previously thought.
Since its inception in 2009, the Lazarus Group has successfully established itself as one of the most notorious gangs of crypto hackers. In a recent revelation, independent onchain sleuth ZachXBT disclosed that the gang has successfully laundered more than two hundred million dollars’ worth of illicitly obtained cryptocurrency between the years 2020 and 2023. Lazarus is accused of stealing more than three billion dollars’ worth of cryptocurrency assets over the course of the six years leading up to the year 2023.
The confiscation of 279 cryptocurrency accounts that were linked to North Korean threat instances was ordered by a court in the United States last week.