The notorious North Korean hacking group Kimsuky, also known as APT43, has been reportedly targeting two South Korean cryptocurrency firms using a newly discovered Golang-based malware named Durian. According to cybersecurity solutions giant Kaspersky, Durian is known for its comprehensive backdoor functionality, allowing cybercriminals to execute commands, download files, and exfiltrate data. The attacks took place between August and November 2023, with the hackers exploiting a software vulnerability to gain initial access to the victim’s systems.
After infiltrating the targeted networks, Durian deployed additional tools such as Kimsuky’s backdoor AppleSeed and a custom proxy tool named LazyLoad. Interestingly, LazyLoad has been linked to Andariel, a sub-group within the Lazarus hacking group, raising suspicions of shared tactics among North Korean threat actors. Kimsuky, believed to have started in 2012 and under North Korea’s Reconnaissance General Bureau, is known for conducting phishing attacks via email to steal cryptocurrencies.
In December 2023, Kimsuky posed as South Korean government officials and journalists to carry out phishing attacks, resulting in the theft of cryptocurrencies from 1,468 victims between March and October 2023. The group targeted retired government officials from diplomatic, military, and national security sectors, sending convincing phishing emails to execute their fraudulent activities. Kimsuky had previously targeted Russian aerospace defense companies during the COVID-19 pandemic, taking advantage of the chaos and confusion caused by the global health crisis.
Reports indicate that the North Korean hacking group has been active in launching cyberattacks on various sectors, including cryptocurrency companies and government entities. The use of sophisticated malware like Durian showcases the group’s evolving tactics and capabilities in carrying out successful cyber intrusions. The collaboration with other North Korean threat groups like Andariel highlights the complexity of the country’s state-sponsored cyber operations and the need for increased cybersecurity measures to protect sensitive data and assets.
As Kimsuky continues to pose a threat to organizations globally, it is essential for businesses and individuals to stay vigilant against phishing attacks and implement robust cybersecurity protocols to mitigate the risk of falling victim to cybercriminal activities. By staying informed about the latest threats and security best practices, organizations can better defend against advanced attacks like those orchestrated by Kimsuky and other state-sponsored hacking groups.
