North Korean hackers are reportedly using a new and notable malware variant called “Durian” to carry out attacks on cryptocurrency companies in South Korea. According to a threat report from cybersecurity firm Kaspersky, the North Korean hacking group Kimsuky has already used this malware in targeted attacks on at least two crypto firms. These attacks were executed by exploiting legitimate security software that is exclusive to crypto firms in South Korea.
The Durian malware, which was previously unknown, functions as an installer that deploys various types of malware, including a backdoor called “AppleSeed,” a custom proxy tool known as LazyLoad, and other legitimate tools like Chrome Remote Desktop. Kaspersky stated that Durian has extensive backdoor functionality, allowing it to execute commands, download additional files, and extract files.
In addition, Kaspersky pointed out that LazyLoad was also utilized by Andariel, a sub-group of the notorious North Korean hacking consortium Lazarus Group. This suggests a possible connection between Kimsuky and Lazarus Group.
Lazarus Group, which first emerged in 2009, has gained a notorious reputation as one of the most prominent groups of crypto hackers. On April 29, blockchain investigator ZachXBT revealed that Lazarus Group had successfully laundered more than $200 million in illicitly obtained cryptocurrencies between 2020 and 2023. The group is also accused of stealing over $3 billion in crypto assets over a span of six years leading up to 2023. In 2023 alone, Lazarus Group was responsible for stealing over $309 million, which accounted for approximately 17% of the total stolen funds. Throughout the same year, hacks and exploits led to the loss of more than $1.8 billion worth of cryptocurrencies, as reported by Immunefi on December 28.
Magazine: Analysis of crypto hacks reveals Lazarus Group’s preferred exploit.