A North Korean threat actor tracked as Kimsuky has been observed deploying previously undocumented Golang-based malware known as durian This is part of a highly targeted cyberattack targeting two South Korean cryptocurrency companies.
“Durian has comprehensive backdoor capabilities that allow it to execute sent commands, download additional files, and exfiltrate files,” Kaspersky said in its Q1 2024 APT Trends Report.
The attacks, which occurred in August and November 2023, required the use of legitimate software unique to South Korea as the infection vector, but the exact mechanism used to manipulate the program is currently unclear.
The software is known to establish a connection to the attacker’s server, leading to the retrieval of a malicious payload, thus initiating the infection sequence.
The first stage serves as an installer for other malware and a method to establish persistence on the host. It also paves the way for the eventual execution of Durian’s loader malware.
Durian was used to introduce additional malware, including Kimsuky’s primary backdoor of choice, AppleSeed, a custom proxy tool called LazyLoad, and other legitimate tools such as ngrok and Chrome Remote Desktop.
“Ultimately, the attackers planted malware that stole data stored by the browser, including cookies and login credentials,” Kaspersky said.
One notable aspect of this attack was the use of LazyLoad, which has been previously used by Andariel, a sub-cluster within the Lazarus Group, raising the possibility of potential collaboration or tactical overlap between the two threat actors.
The Kimsuky group is known to have been active since at least 2012, and its malicious network activities are also monitored under names such as APT43, Black Banshee, Emerald Sleet (formerly known as Thallium), Springtail, TA427, and Velvet Chollima.
It was assessed as a subordinate unit of Research Center 63, a division of the Reconnaissance General Bureau (RGB), the Hermit Kingdom’s premier military intelligence organization.
“The primary mission of Kimsuky actors is to provide stolen data and valuable information to the North Korean regime by compromising policy analysts and other experts,” the FBI and NSA said in an alert. geopolitical insights.
“Successful compromises further enable Kimsuky attackers to craft more credible and effective spear phishing emails, which can then be leveraged against more sensitive, higher value targets.”
Broadcom-owned Symantec said the nation-state adversary was also linked to a campaign delivering a C#-based remote access trojan and an information-stealing program called TutorialRAT that used Dropbox as an “attack base to evade threat surveillance.” .
“This campaign appears to be an extension of the APT43 BabyShark threat campaign and employs typical spear phishing techniques, including the use of shortcut (LNK) files,” it added.
The development comes as the AhnLab Security Intelligence Center (ASEC) detailed a campaign orchestrated by another North Korean state-sponsored hacker group called ScarCruft that targeted South Korean users using Windows Shortcuts (LNK) files and ultimately deploy RokRAT.
The hostile group, also known as APT37, InkySquid, RedEyes, Ricochet Chollima and Ruby Sleet, is allegedly allied with North Korea’s Ministry of National Security (MSS) and is responsible for gathering secret intelligence to support the country’s strategic military, political and economic interests.
“The recently identified shortcut files (*.LNK) target South Korean users, specifically those associated with North Korea,” ASEC said.
