Key Points
- North Korean hackers have launched a new malware, “Durian”, to target South Korean cryptocurrency firms.
- The infamous Lazarus Group is suspected of laundering over $3 billion in cryptocurrency assets in six years.
North Korean cybercriminals have unleashed a new malware variant named “Durian” to target South Korean firms dealing in Bitcoin and other cryptocurrencies.
The threat report released by cybersecurity company Kaspersky on May 9 revealed that the North Korean hacking group Kimsuky is behind these targeted attacks on at least two cryptocurrency firms.
Exploiting Security Software
The attacks were executed by exploiting legitimate security software used exclusively by South Korean cryptocurrency firms. The previously unknown Durian malware acts as an installer, deploying a consistent flow of spyware, including a backdoor named “AppleSeed,” a custom proxy tool called LazyLoad, and other authentic programs like Chrome Remote Desktop.
Kaspersky stated, “Durian provides comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.”
Link to Lazarus Group
The cybersecurity firm also found that LazyLoad was used by Andariel, a subsidiary of the notorious North Korean hacking consortium Lazarus group. This implies a “tenuous” connection between Kimsuky and the more infamous hacking organization.
Lazarus, which first emerged in 2009, has become one of the most notorious cryptocurrency hacker groups.
ZachXBT, an independent blockchain investigator, reported on April 29 that the Lazarus business had successfully laundered over $200 million in ill-gotten cryptocurrency between 2020 and 2023.
In May, The United Nations Security Council released a report highlighting North Korea’s increasing involvement in cyberattacks, which now account for nearly half of its foreign currency earnings.
The Lazarus Group is suspected of stealing more than $3 billion in cryptocurrency assets over a span of six years, ending in 2023.
Lazarus was implicated in stealing over 17% — or slightly more than $300 million — of all stolen funds in 2023. According to an analysis by Immunefi released on December 28, more than $1.8 billion in cryptocurrency was lost due to attacks and exploits in 2023.
The notorious Lazarus group is known to extensively use crypto mixers in their operations to hide the origins of stolen funds.
As concerns about laundering through privacy protocols continue, Railgun, a popular protocol, has denied allegations of being used by North Korean hackers or sanctioned individuals.
These allegations surfaced following a January 2023 FBI statement suggesting that North Korea’s Lazarus Group had laundered over $60 million in Ethereum through Railgun after a cyberattack in June 2022.
After the U.S. imposed sanctions on popular crypto mixer Tornado Cash, there were speculations that Railgun was becoming a preferred alternative for such operations.
