North Korean hackers are using an “astonishing” new version of malware dubbed “Durian” to launch attacks on South Korean cryptocurrency companies.
North Korean hacking group Kimsoki has used the new malware in a series of targeted attacks on at least two cryptocurrency companies so far, according to a May 9 threat report from cybersecurity firm Kaspersky.
This was done through a “sustained” attack by exploiting legitimate security software used exclusively by South Korean cryptocurrency companies.
The previously unknown Durian malware acts as an installer that spreads a steady stream of malware including a backdoor known as “AppleSeed,” a custom proxy tool known as LazyLoad, and other legitimate tools like Chrome Remote Desktop.
“Dorian features comprehensive backdoor functionality, allowing execution of delivered commands, downloading additional files, and file extraction,” Kaspersky wrote.
Additionally, Kaspersky noted that LazyLoad was also used by Andariel, a sub-group within the North Korean hacking consortium Lazarus Group – something that suggests a “weak” relationship between Kimsuky and the more notorious hacking group.
Related: North Korean Lazarus Hacker Group Uses LinkedIn to Target and Steal Assets: Report
Debuting in 2009, Lazarus has established itself as one of the most popular cryptocurrency hacking groups.
On April 29, independent blockchain investigator ZachXBT revealed that the Lazarus Group successfully laundered more than $200 million in illicit cryptocurrencies between 2020 and 2023.
In total, the Lazarus Group is accused of stealing more than $3 billion in cryptocurrency assets in the six years leading up to 2023.
Lazarus is credited with stealing more than 17% — just over $309 million — of the total funds stolen in 2023. Throughout 2023, more than $1.8 billion in cryptocurrency was lost to hacks and exploits, according to a report released on 28 December by Immunefi.
magazine: Lazarus Group’s Favorite Exploit Detected – Cryptocurrency Hack Analysis
