North Korean hackers have launched a cyber attack on South Korean cryptocurrency companies using a newly identified malware named “Durian.” This operation, linked to the Kimsuky group, involved sophisticated malware used to exploit security software specific to crypto businesses.
Since its emergence in 2009, Lazarus has been a prominent name in crypto-related cybercrime. On April 29, blockchain detective ZachXBT revealed that Lazarus laundered over $200 million in cryptocurrency from 2020 to 2023.
This group has been implicated in stealing more than $3 billion in cryptocurrency over the past six years, with $309 million stolen in 2023 alone. This figure represented over 17% of the total crypto stolen globally that year.
As of late 2023, over $1.8 billion in cryptocurrency had been lost to various hacks and exploits, with Lazarus playing a significant role in these losses, as reported by Immunefi on December 28.
A recent Kaspersky threat report dated May 9 highlighted Kimsuky’s cyberattacks. The Durian malware acts as a gateway for additional malicious activities, including the deployment of a backdoor called “Appleseed,” the custom proxy tool “LazyLoad,” and even legitimate tools like Chrome Remote Desktop.
“Durian” enables comprehensive control for hackers, allowing them to execute commands remotely, download additional malicious files, and extract sensitive information from infected systems.
Further investigations reveal that LazyLoad, also employed in these attacks, has previously been used by Andariel. Andariel is part of the larger Lazarus Group, another North Korean hacking entity known for its global cybercriminal activities. This suggests a possible link, although weak, between Kimsuky and the notorious Lazarus Group.