Crypto firms targeted by North Korean hackers using ‘Durian’ malware

North Korean hackers have reportedly developed a new and remarkable malware variant called “Durian” to launch attacks on cryptocurrency firms in South Korea. According to a threat report by cybersecurity firm Kaspersky on May 9, the North Korean hacking group Kimsuky has already used this malware in targeted attacks on at least two crypto companies. The hackers exploited legitimate security software exclusively used by these firms in South Korea to carry out persistent attacks.
The Durian malware, previously unknown, functions as an installer that deploys a continuous stream of malware. This includes a backdoor called “AppleSeed,” a custom proxy tool known as LazyLoad, and other legitimate tools like Chrome Remote Desktop. Kaspersky stated that Durian has extensive backdoor functionality, allowing the execution of delivered commands, additional file downloads, and file exfiltration.
Kaspersky also highlighted that Andariel, a sub-group within the Lazarus Group, a well-known North Korean hacking consortium, has also used LazyLoad. This suggests a possible connection between Kimsuky and the more infamous Lazarus Group.
Lazarus Group, which emerged in 2009, has gained notoriety as one of the most prominent crypto hacking groups. On April 29, blockchain investigator ZachXBT revealed that the group had successfully laundered over $200 million in illicitly obtained cryptocurrency between 2020 and 2023. In the six years leading up to 2023, Lazarus is accused of stealing over $3 billion in crypto assets. In 2023 alone, Lazarus was credited with stealing over 17% of the total stolen funds, amounting to slightly over $309 million. Throughout 2023, more than $1.8 billion worth of crypto was lost to hacks and exploits, as reported by Immunefi on December 28.
In conclusion, the Lazarus Group, known for its favorite exploit, has been implicated in numerous crypto hacks. The recent emergence of the Durian malware utilized by Kimsuky suggests a continuous threat to the security of cryptocurrency firms in South Korea.