North Korean hackers target crypto firms with ‘Durian’ malware, Kaspersky confirms

As an experienced cybersecurity analyst, I find the latest report on North Korean hackers using the new malware variant “Durian” to attack South Korean cryptocurrency firms deeply concerning. The targeted attacks on at least two crypto firms by the North Korean hacking group Kimsuky is a clear indication of the escalating involvement of North Korea in cybercrimes, which now accounts for nearly half of its foreign currency earnings.

North Korean cybercriminals have introduced a fresh malware strain named “Durian” for targeting South Korean businesses dealing with cryptocurrencies.

As a cybersecurity analyst, I’ve come across a recent finding from Kaspersky’s May 9 threat report. According to their investigation, the North Korean hacking group Kimsuky employed a specific malware in targeted assaults against no less than two cryptocurrency companies.

South Korean crypto companies exclusively use certain security software, which was covertly exploited to carry out the attacks. The malware named Durian, which had previously remained hidden, functions as an installer and unleashes a continuous flow of spyware. Among this spyware is “AppleSeed,” a backdoor, and “LazyLoad,” a custom proxy tool, alongside other authentic programs such as Chrome Remote Desktop.

According to Kaspersky, the durian malware boasts extensive capabilities that allow it to carry out commands received, download extra files, and transfer out existing files covertly.

The cybersecurity company uncovered additional information: LazyLoad was employed not only by Kimsuky but also by Andariel, a sub-unit of the notorious hacking alliance Lazarus Group. This finding suggests a “delicate” connection between Kimsuky and the more recognized hacking entity.

As a crypto investor, I’ve come across the name Lazarus Group multiple times since its emergence in 2009. This notorious hacking collective is known for their significant impact on the cryptocurrency world.

I came across some troubling news on April 29, 2023. Independent blockchain investigator ZachXBT revealed that the Lazarus Group had managed to launder over $200 million in ill-gotten cryptocurrencies between 2020 and 2023. This group’s activities are a stark reminder of the risks associated with investing in crypto. It’s crucial for us, as investors, to stay informed about such developments and take necessary precautions to secure our assets.

In May 2023, the United Nations Security Council published a report revealing North Korea’s increasing role in cyber assaults, accounting for nearly half of its external revenue. The Lazarus Group is under suspicion for orchestrating heists of over $3 billion worth of cryptocurrency assets throughout a six-year period, with the most recent significant theft occurring in 2023.

As a analyst, I’d put it this way: In the year 2023, over $1.8 billion worth of cryptocurrencies were misappropriated through attacks and vulnerability exploits. Lazarus, in particular, was allegedly responsible for making off with more than 17%, which amounts to approximately $300 million, of those stolen funds.

I, as an analyst, have observed that the infamous cybercrime group Lazarus is known to make extensive use of crypto mixers in their illicit activities to conceal the origins of the funds they have stolen. However, regarding rumors linking Railgun, a widely-used privacy protocol, to North Korean hackers or sanctioned individuals, it has issued a denial of these allegations.

The revelation emerged after the FBI released a statement in January 2023, indicating that North Korea’s Lazarus Group had laundered approximately $60 million worth of Ethereum using Railgun, following a cyberattack in June 2022.

As a cryptocurrency market analyst, I’ve noticed some buzz in the community about Railgun potentially taking over as the go-to solution for those seeking to obfuscate transaction origins following the U.S. sanctions against Tornado Cash.

2024-05-13 11:50

Read More