CRYPTOSTAKE
StakingMarketRegulationCryptostake ExplainsUncharted
North Korean Hackers Target South Korean Crypto Firms with New 'Durian' Malware

Introduction of 'Durian' malware in cyber attacks

North Korean hackers have launched sophisticated cyberattacks on South Korean cryptocurrency companies using a newly developed malware named 'Durian.'

Key takeaways:

  • Kimsuky, a North Korean hacking group, has initiated targeted cyberattacks on South Korean cryptocurrency firms using a new malware variant called 'Durian.'
  • The Durian malware facilitates the installation of further malicious software, including a backdoor called AppleSeed and a custom proxy tool known as LazyLoad.
  • Kaspersky's analysis suggests that there might be links between Kimsuky and the notorious Lazarus Group, another North Korean hacking entity, known for its extensive cyber heists.

A new malware variant, named "Durian," has been deployed by North Korean hackers targeting South Korean cryptocurrency firms. The state-backed hacking group Kimsuky is reportedly behind these sophisticated attacks, which have impacted at least two companies to date. According to a threat report released by Kaspersky on May 9, these attacks were executed through the exploitation of legitimate security software uniquely utilized by South Korean crypto firms.

The Durian malware operates primarily as an installer, facilitating the deployment of additional malicious components including the backdoor "AppleSeed," the custom proxy tool "LazyLoad," and other legitimate tools like Chrome Remote Desktop.

Kaspersky detailed in their report:

"Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files," 

Further analysis by Kaspersky revealed that LazyLoad, also utilized by Durian, has been previously used by Andariel, a subgroup within the infamous North Korean hacking consortium Lazarus Group. This connection hints at a possible collaboration or shared techniques between Kimsuky and Lazarus, enhancing the threat landscape posed by these entities.

Historical context and links to Lazarus Group

Lazarus Group has gained notoriety for its significant cyber-heists, accruing over $3 billion in stolen crypto assets over six years. According to independent blockchain analyst ZachXBT, just in the period from 2020 to 2023, the Lazarus Group laundered over $200 million in illicitly obtained crypto. In 2023 alone, Lazarus was responsible for stealing more than 17%—approximately $309 million—of the total funds stolen, aligning with data from Immunefi that reported over $1.8 billion in crypto was lost to hacks and exploits in the same year.