Kimsuky hacking group targets South Korean crypto firms with new malware — report

Kimsuky, a North Korean hacking group, has reportedly been utilizing a new malware variant called “Durian” to launch targeted attacks on South Korean crypto firms.

The incidence is highlighted in a recently published threat intelligence report from Kaspersky. According to Kaspersky’s research, the malware is deployed specifically to break and exploit against security software used by South Korean crypto firms, at least two of which have been identified.

“Based on our telemetry, we pinpointed two victims within the South Korean cryptocurrency sector. The first compromise occurred in August 2023, followed by a second in November 2023. Notably, our investigation did not uncover any additional victims during these instances, indicating a highly focused targeting approach by the actor,” the report stated.

The Durian malware is an “initial-stage” installer. It introduces supplementary malware and establishes a persistence mechanism inside the device or instance that it attacks. Once executed, the malware generates a stage loader and adds it to the exposed operating system for automatic execution. The malware’s installation is finalized with a culminating payload written over Golang, an open-source programming language developed by Google.

The final payload then enables the execution of remote commands that instruct the exploited device to download and exfiltrate files. The choice of language is also suspect due to Golang’s efficiency for networked machines and large codebases.

Interestingly, Kaspersky’s report also revealed that LazyLoad, one of the tools deployed by Durian, has been used by Andariel, a sub-group within the notorious North Korean hacking consortium Lazarus Group. This finding suggests a potential connection between Kimsuky and Lazarus, although Kaspersky described the link as “tenuous” at best.

Lazarus Group, which first emerged in 2009, has established itself as one of the most notorious groups of crypto hackers. Independent onchain sleuth ZachXBT recently revealed that the group had successfully laundered over $200 million in ill-gotten crypto between 2020 and 2023. In total, Lazarus is accused of stealing over $3 billion in crypto assets in the six years leading up to 2023.

Last week, a US court has ordered the forfeiture of 279 crypto accounts tied to North Korean threat incidents.