The North Korean threat actor known as Kimsuky has been using a new malware called Durian in targeted cyber attacks against South Korean cryptocurrency companies.
Kaspersky disclosed in its APT trends report for Q1 2024 that “Durian features a sophisticated backdoor that allows for executing commands, downloading additional files, and stealing files.”
The attacks occurred in August and November 2023 and involved leveraging legitimate software specific to South Korea to breach systems. The exact method of exploiting the software remains unknown.
The malware establishes a connection with the attacker’s server to download malicious payload, initiating the infection process.
The initial stage of infection acts as an installer for more malware and establishes persistence on the infected host. It also prepares the system for a loader malware that ultimately runs Durian.
Durian is used to introduce other malware, including Kimsuky’s primary backdoor AppleSeed, a customized proxy tool known as LazyLoad, as well as legitimate tools like ngrok and Chrome Remote Desktop.
The malware’s main objective is to steal browser-stored data such as cookies and login credentials.
A notable aspect of the attack is the use of LazyLoad, previously linked to Andariel, a subgroup of the Lazarus Group, hinting at a potential collaboration between the two threat actors.
Kimsuky has been active since at least 2012 and is also associated with other threat actor names such as APT43, Black Banshee, and TA427.
The group is believed to operate under the 63rd Research Center, a component of North Korea’s Reconnaissance General Bureau (RGB).
The FBI and NSA stated in a recent alert that Kimsuky’s primary goal is to gather sensitive data and provide geopolitical insights to the North Korean regime by compromising experts in various fields.
The group has also been involved in campaigns deploying a C#-based remote access trojan and information stealer known as TutorialRAT, using Dropbox to evade detection.
In a separate campaign, the AhnLab Security Intelligence Center (ASEC) detailed activities by another North Korean hacking group called ScarCruft, targeting South Korean users with Windows shortcut files to deploy RokRAT.
ScarCruft, also known as APT37, is aligned with North Korea’s Ministry of State Security (MSS) and focuses on gathering intelligence to support national interests.
ASEC highlighted that the shortcut files targeting South Korean users are related to North Korea.