North Korean hackers have reportedly deployed a new malware variant called “Durian” to target South Korean cryptocurrency firms. The hacking group, Kimsuky, used this malware in a series of focused attacks on at least two crypto companies, as stated in a threat report by cybersecurity firm Kaspersky on May 9th. The hackers exploited legitimate security software exclusively used by crypto firms in South Korea, launching persistent attacks. Durian, previously unknown, acts as an installer for various malware, including a backdoor named “AppleSeed,” a custom proxy tool called LazyLoad, and legitimate tools like Chrome Remote Desktop. Kaspersky emphasized Durian’s extensive backdoor functionality, enabling the execution of commands, file downloads, and file exfiltration. Furthermore, Kaspersky identified LazyLoad’s usage by Andariel, a sub-group of the infamous North Korean hacking consortium Lazarus Group, suggesting a connection between Kimsuky and the more renowned hacking group. Lazarus Group, established in 2009, has gained notoriety as one of the most prominent crypto hacking groups. On April 29th, independent blockchain investigator ZachXBT revealed that Lazarus Group had successfully laundered over $200 million in illicit cryptocurrency between 2020 and 2023. The group has been accused of stealing over $3 billion in crypto assets in the six years leading up to 2023. In that year alone, Lazarus Group was responsible for stealing over 17% (approximately $309 million) of the total stolen funds. The Immunefi report from December 28th stated that more than $1.8 billion worth of crypto was lost to hacks and exploits throughout 2023.
Crypto firms under attack by North Korean hackers using ‘Durian’ malware