North Korean Hackers Deploy New Golang Malware ‘Durian’ Against Crypto Firms

North Korean Hackers Deploy New Golang Malware ‘Durian’ Against Crypto Firms

The North Korean threat actor tracked as Kimsuky has been observed deploying a previously undocumented Golang-based malware dubbed Durian as part of highly-targeted cyber attacks aimed at two South Korean cryptocurrency firms.

The attacks, which occurred in August and November 2023, entailed the use of legitimate software exclusive to South Korea as an infection pathway, although the precise mechanism used to manipulate the program is currently unclear.

What’s known is that the software establishes a connection to the attacker’s server, leading to the retrieval of a malicious payload that kicks off the infection sequence.

A notable aspect of the attack is the use of LazyLoad, which has been previously put to use by Andariel, a sub-cluster within the Lazarus Group, raising the possibility of a potential collaboration or a tactical overlap between the two threat actors.

The Kimsuky group is known to be active since at least 2012, with its malicious cyber activities also monitored under the names APT43, Black Banshee, Emerald Sleet (formerly Thallium), Springtail, TA427, and Velvet Chollima.

The development comes as the AhnLab Security Intelligence Center (ASEC) detailed a campaign orchestrated by another North Korean state-sponsored hacking group called ScarCruft that’s targeting South Korean users with Windows shortcut (LNK) files that culminate in the deployment of RokRAT.

The adversarial collective, also known as APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is said to be aligned with North Korea’s Ministry of State Security (MSS) and tasked with covert intelligence gathering in support of the nation’s strategic military, political, and economic interests.