ARTICLE AD
North Korean hackers have deployed a new malware variant called “Durian” to attack South Korean cryptocurrency firms.
According to a May 9 threat report from cybersecurity firm Kaspersky, the North Korean hacking group Kimsuky used this malware in targeted attacks on at least two cryptocurrency firms.
The attacks were conducted by exploiting legitimate security software used exclusively by South Korean crypto firms. The previously undisclosed Durian malware serves as an installer, deploying a steady stream of spyware, including a backdoor called “AppleSeed,” a bespoke proxy tool called LazyLoad, and other genuine programs like Chrome Remote Desktop.
“Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files,” Kaspersky stated.
Furthermore, the cybersecurity firm discovered that LazyLoad was also used by Andariel, a sub-organization inside fellow North Korean hacking consortia Lazarus group, implying a “tenuous” link between Kimsuky and the more infamous hacking organization.
Having first surfaced in 2009, Lazarus has become one of the most notorious cryptocurrency hacker groups.
On April 29, ZachXBT, an independent blockchain investigator, reported that the Lazarus business had successfully laundered over $200 million in ill-gotten cryptocurrency between 2020 and 2023.
In May, The United Nations Security Council released a report indicating North Korea’s escalating involvement in cyberattacks, which now comprise almost half of its foreign currency earnings. Although investigations are still ongoing, the Lazarus Group is suspected of stealing more than $3 billion in cryptocurrency assets over the course of six years, culminating in 2023.
Lazarus was accused of stealing more than 17% — or slightly more than $300 million — of all stolen funds in 2023. According to an Immunefi analysis released on December 28, more than $1.8 billion in cryptocurrency was lost due to attacks and exploits in 2023.
The notorious group Lazarus has been reported to use crypto mixers extensively in their operations to obscure the origins of stolen funds. As concerns about laundering through privacy protocols persist, Railgun, a popular protocol, has refuted allegations of being used by North Korean hackers or sanctioned individuals.
The claims came to light following a January 2023 FBI statement suggesting that North Korea’s Lazarus Group had laundered over $60 million in Ethereum through Railgun after a cyberattack in June 2022.
Following the U.S. sanctions on popular crypto mixer Tornado Cash, there were speculations that Railgun was becoming a preferred alternative for such operations.