Crypto Firms Being Targeted by Golang Malware “Durian” Deployed by North Korean Hackers
Crypto Firms Being Targeted by Golang Malware “Durian” Deployed by North Korean Hackers
A previously unreported Golang-based malware known as Durian has been seen being used by the North Korean threat actor known as Kimsuky in highly focused cyber attacks against two South Korean Bitcoin companies.
Kaspersky, APT Trends Report, Q1 2024.
“Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.”
“Ultimately, the actor implanted the malware to pilfer browser-stored data including cookies and login credentials.” |
The original software only available in South Korea was utilized as an infection channel in the August and November 2023 attacks. The specific method by which the product was manipulated is still unknown.
It is known that the software connects to the attacker’s site and retrieves a malicious payload, which initiates the infection process.
The first phase installs more malware and gives the infection a way to persist on the host. It also sets the stage for a malware loader to finally execute Durian.
Durian, on the other hand, is used to spreading other malware, such as AppleSeed, which is Kimsuky’s go-to backdoor, a unique proxy program called LazyLoad, and other trustworthy programs like ngrok and Chrome Remote Desktop.
The attack’s use of LazyLoad, which Andariel, a Lazarus Group sub-cluster, has previously employed, is noteworthy. This suggests that the two threat actors may be collaborating or sharing tactical responsibilities.
At least since 2012, the Kimsuky organization has been known to be active. Its malicious cyber operations have also been observed under the handles APT43, Black Banshee, Emerald Sleet (formerly Thallium), Springtail, TA427, and Velvet Chollima.
It is considered a subordinate component of the 63rd Research Center, a division of the Reconnaissance General Bureau (RGB), the leading military intelligence agency of the reclusive nation.
The U.S. Federal Bureau of Investigation (FBI) & The National Security Agency (NSA), Alert, May.
“Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts.”
“Successful compromises further enable Kimsuky actors to craft more credible and effective spear-phishing emails, which can then be leveraged against more sensitive, higher-value targets.” |
Broadcom-Owned Symantec
The nation-state adversary has also been linked to campaigns that deliver a C#-based remote access trojan and information stealer called TutorialRAT that utilizes Dropbox as a “base for their attacks to evade threat monitoring.”
“This campaign appears to be an extension of APT43’s BabyShark threat campaign and employs typical spear-phishing techniques, including the use of shortcut (LNK) files.” |
This discovery coincides with the disclosure by the AhnLab Security Intelligence Center (ASEC) of a campaign directed by ScarCruft, a different state-sponsored hacking outfit out of North Korea, which targets South Korean users by infecting them with Windows shortcut (LNK) files, ultimately leading to the deployment of RokRAT.
Claiming alignment with North Korea’s Ministry of State Security (MSS), the adversarial collective—also known as APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet—is entrusted with gathering covert intelligence to support the country’s strategic military, political, and economic interests.
AhnLab Security Intelligence Center (ASEC)
“The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea.” |
About The Author
Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for the News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food & Beverage, Entertainment, and many others. Koli established his center of the field in a very amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.