North Korean Hackers Targeting Crypto Firms with ‘Durian’ Malware; Kaspersky Confirms


A May 9 threat report from cybersecurity firm Kaspersky reveals that the North Korean hacking group Kimsuky employed this malware in targeted attacks against at least two cryptocurrency firms.

These attacks exploited legitimate security software that is exclusively used by South Korean cryptocurrency firms. The Durian malware, previously undisclosed, acted as an installer for various spyware tools, including a backdoor named “AppleSeed,” a customized proxy tool called LazyLoad, and other legitimate programs such as Chrome Remote Desktop.

Kaspersky noted, “Durian offers extensive backdoor capabilities, allowing for the execution of delivered commands, additional file downloads, and the extraction of files.

Additionally, the cybersecurity firm found that LazyLoad was utilized by Andariel, a subgroup within the North Korean hacking collective Lazarus Group, suggesting a “tenuous” connection between Kimsuky and the more notorious hacking organization. Established in 2009, Lazarus has gained notoriety as one of the most infamous cryptocurrency hacking groups.

On April 29, independent blockchain investigator ZachXBT reported that the Lazarus group had effectively laundered more than $200 million in illicit cryptocurrency between 2020 and 2023.

In May, a report from the United Nations Security Council highlighted North Korea’s increasing engagement in cyberattacks, accounting for nearly half of its foreign currency revenues. While investigations are ongoing, there are suspicions that the Lazarus Group has pilfered over $3 billion in cryptocurrency assets spanning six years, with the peak occurring in 2023.

In 2023, Lazarus was implicated in pilfering over 17% roughly exceeding $300 million of the total stolen funds. An analysis by Immunefi, published on December 28, revealed that attacks and exploits led to a staggering loss of more than $1.8 billion in cryptocurrency throughout the year.

Lazarus, a well-known group in cybercrime circles, has reportedly employed crypto mixers extensively to obscure the source of their illicitly obtained funds. Amidst ongoing concerns about money laundering via privacy protocols, Railgun, a widely used protocol, has denied any involvement with North Korean hackers or individuals under sanctions.

These allegations surfaced after an FBI statement in January 2023, which claimed that North Korea’s Lazarus Group funneled over $60 million in Ethereum through Railgun following a cyberattack in June 2022.

After the U.S. sanctions on Tornado Cash, there were rumors that Railgun was gaining popularity as a preferred alternative for such operations.


What's Your Reaction?

hate hate
266
hate
confused confused
666
confused
fail fail
466
fail
fun fun
400
fun
geeky geeky
333
geeky
love love
133
love
lol lol
200
lol
omg omg
666
omg
win win
466
win

0 Comments

Your email address will not be published. Required fields are marked *