According to reports, the notorious North Korean hacking group Kimsuky, also known as APT43, carried out cyber attacks on two South Korean crypto companies using previously undocumented Golang-based malware called – Durian.
According to findings by cybersecurity solutions giant Kaspersky, Durian features “comprehensive backdoor functionality.” This feature allows it to execute supplied commands and download additional files.
The attacks reportedly took place between August and November 2023 and involved a South Korean software exploit designed to gain initial access.
“Based on our telemetry, we have identified two victims in South Korea’s cryptocurrency sector. The first compromise was made in August 2023 and the second in November 2023.”
Once the malware was installed and started running on the victim’s systems, Durian deployed additional tools, including Kimsuky’s AppleSeed backdoor and a custom proxy tool called LazyLoad.
Interestingly, the LazyLoad tool links to Andariel, a subgroup of the notorious Lazarus. This also raises suspicions of joint tactics by both North Korean threat groups, according to Hacker News.
Kimsuky is reported to have begun operations in at least 2012, and reports to the North Korean Reconnaissance General Bureau (RGB), the country’s military intelligence agency.
Kimsuky’s mail mafia
The Kimsuky group is well known for carrying out various phishing attacks via email to steal cryptocurrencies. According to police reports, a total of 1,468 people fell victim to crypto hackers between March and October 2023.
Among the victims were retired government officials involved in diplomacy, the military and national security. According to reports, the perpetrators sent what appeared to be credible phishing emails.
The state-backed hacking group had previously targeted Russian air and space defense companies, “taking advantage of the coronavirus pandemic.”
According to a report by Kommersant RT-Inform, the IT security division of Russia’s state technology agency Rostec noted that there was an increase in the number of cyber attacks on IT networks during the pandemic from April to September 2020.