North Korean hackers target crypto firms with ‘Durian’ malware, Kaspersky confirms

North Korean hackers used a new malware variant called “Durian” to attack South Korean cryptocurrency companies.

North Korean hacking group Kimsuky used this malware in targeted attacks against at least two cryptocurrency companies, according to a May 9 threat report from cybersecurity firm Kaspersky.

The attacks were carried out using legitimate security software used only by South Korean crypto firms. The previously undisclosed Durian malware acts as an installer that distributes a constant stream of spyware, including a backdoor called “AppleSeed”, a special proxy tool called LazyLoad, and other genuine programs such as Chrome Remote Desktop.

“Durian has extensive backdoor functionality that allows execution of delivered commands, additional file downloads and exfiltration of files,” Kaspersky said.

Additionally, the cybersecurity firm discovered that LazyLoad was also used by Andariel, a subsidiary of the North Korean hacking consortium Lazarus group; which implied a “tenuous” connection between Kimsuky and the more notorious hacking organization.

First appearing in 2009, Lazarus has become one of the most notorious cryptocurrency hacker groups.

ZachXBT, an independent blockchain researcher, reported on April 29 that the Lazarus company successfully laundered more than $200 million in ill-gotten cryptocurrency between 2020 and 2023.

In May, the United Nations Security Council released a report showing North Korea’s increasing involvement in cyberattacks; these attacks now account for almost half of foreign exchange earnings. Although investigations are still ongoing, Lazarus Group is suspected of stealing more than $3 billion in cryptocurrency assets over six years and peaking in 2023.

Lazarus was accused of stealing more than 17% of all funds stolen in 2023, or just over $300 million. According to an Immunefi analysis published on December 28, more than $1.8 billion in cryptocurrency has been lost due to attacks and exploits in 2023.

The infamous Lazarus group has reportedly used crypto mixers extensively in its operations to hide the origins of stolen funds. As concerns continue about money laundering through privacy protocols, Railgun, a popular protocol, has denied allegations that it is being used by North Korean hackers or sanctioned individuals.

The allegations came to light following a January 2023 FBI disclosure alleging that North Korean Lazarus Group laundered over $60 million in Ethereum through Railgun following a June 2022 cyberattack.

There was speculation that following US sanctions against popular cryptocurrency mixer Tornado Cash, Railgun had become a preferred alternative for such operations.