North Korean Hackers Target South Korean Crypto Firms with New Malware

North Korean hackers have been making headlines with their utilization of a new and potent malware variant named “Durian.” This malware, described as “striking” by experts, has been deployed in targeted attacks against South Korean cryptocurrency firms, raising concerns about the security of digital assets in the region.

According to a threat report released on May 9 by cybersecurity firm Kaspersky, the North Korean hacking group known as Kimsuky has been identified as the perpetrator behind the Durian malware attacks. These attacks have been characterized as “persistent,” exploiting vulnerabilities in legitimate security software exclusively utilized by cryptocurrency firms in South Korea.

The Durian malware operates as an installer, facilitating the deployment of a series of malicious tools, including a backdoor identified as “AppleSeed,” a custom proxy tool called LazyLoad, and other legitimate applications such as Chrome Remote Desktop. Kaspersky’s analysis reveals that Durian possesses comprehensive backdoor functionality, enabling threat actors to execute commands, download additional files, and exfiltrate sensitive data with ease.

Of particular concern is the connection between Kimsuky and another notorious North Korean hacking consortium, Lazarus Group. Kaspersky notes that LazyLoad, a component of the Durian malware, has also been employed by Andariel, a sub-group within the Lazarus Group. This connection suggests a “tenuous” collaboration between Kimsuky and the more established Lazarus Group, which has been active in cybercrime since 2009.

The Lazarus Group’s track record in the cryptocurrency space is alarming. Independent blockchain investigator ZachXBT recently revealed that the group successfully laundered over $200 million in illicit cryptocurrency between 2020 and 2023. Over the years, the Lazarus Group has been accused of stealing more than $3 billion in crypto assets, with a significant portion of these funds attributed to hacks and exploits targeting cryptocurrency exchanges and firms.

In 2023 alone, Lazarus was responsible for pilfering over $309 million in cryptocurrency, accounting for 17% of the total stolen funds that year. Immunefi’s report from December 28 underscores the pervasive threat posed by cybercriminals, with more than $1.8 billion worth of cryptocurrency lost to hacks and exploits throughout the year.

As the cryptocurrency landscape continues to evolve, the emergence of sophisticated malware like Durian underscores the importance of robust cybersecurity measures. South Korean cryptocurrency firms must remain vigilant and implement stringent security protocols to safeguard against potential cyber threats orchestrated by state-sponsored actors like Kimsuky and Lazarus Group.

Digital Assets Desk