TLDR:
– North Korean hackers deployed new Golang malware called Durian against crypto firms
– Malware includes backdoor functionality, exfiltration of files, and stealing browser-stored data
North Korean threat actor Kimsuky has been identified using a new Golang-based malware called Durian in targeted cyber attacks on two South Korean cryptocurrency firms. The malware, discovered by Kaspersky, allows for execution of commands, file downloads, and data exfiltration. The attacks, which occurred in August and November 2023, involved the use of legitimate South Korean software as an infection pathway. The malware establishes a connection to the attacker’s server to retrieve a malicious payload and initiate the infection sequence. Durian introduces additional malware, including AppleSeed and a custom proxy tool called LazyLoad, ultimately aiming to steal browser-stored data such as cookies and login credentials.
Kimsuky, active since 2012, also known as APT43, has been linked to the North Korean regime’s cyber espionage activities. LazyLoad, utilized in the attacks, was previously associated with the Lazarus Group, hinting at a potential collaboration. Kimsuky’s activities aim to compromise experts and analysts to extract valuable data for the North Korean regime. The group has also been linked to campaigns utilizing a C#-based remote access trojan and information stealer.
A separate North Korean state-sponsored group, ScarCruft, has been targeting South Korean users with Windows shortcut files leading to the deployment of RokRAT. Known as APT37, ScarCruft is aligned with North Korea’s Ministry of State Security, gathering intelligence in support of the country’s interests. The use of shortcut files in these attacks is aimed at South Korean users, particularly those related to North Korea.
Overall, the use of sophisticated malware like Durian highlights the evolving cyber threat landscape posed by North Korean threat actors targeting critical industries like cryptocurrency firms.