Durian Malware

The Kimsuky North Korean threat group has recently utilized a new Golang-based malware named Durian in specific cyber operations targeting two South Korean cryptocurrency companies. Durian is an advanced malware with extensive backdoor capabilities, allowing it to execute commands, download files, and harvest data from compromised systems.

Infection Vector for the Delivery of the Durian Malware

The incidents took place in August and November 2023 and involved the exploitation of legitimate software that is exclusive to South Korean as a method of infection. The specific method used to exploit this software is not yet fully uncovered by researchers. 

What is understood is that this software establishes communication with the attacker's server, which then retrieves an unsafe payload to initiate the infection process. The initial stage acts as an installer for further malware and establishes persistence on the affected host. It also facilitates the deployment of a loader malware that ultimately triggers Durian's execution.

Additional Malware Utilized by Attackers Alongside Durian

The attackers use Durian to deploy additional malware, including AppleSeed (Kimsuky's preferred backdoor), a custom proxy tool named LazyLoad, along with legitimate tools such as ngrok and Chrome Remote Desktop. The objective was to steal browser-stored data like cookies and login credentials.

An interesting point in the attack is the utilization of LazyLoad, previously associated with Andariel, a sub-group within the Lazarus Group. This suggests a potential collaboration or tactical alignment between these threat actors.

Kimsuky Remains a Major Player on the Cybercrime Scene

The Kimsuky group, active since at least 2012, is also known by various aliases, including APT43, Black Banshee, Emerald Sleet (formerly Thallium), Springtail, TA427, and Velvet Chollima. It is believed to operate under the 63rd Research Center, a division of the Reconnaissance General Bureau (RGB), North Korea's top military intelligence organization.

According to a joint alert by the U.S. Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), Kimsuky's primary goal is to provide stolen data and geopolitical insights to the North Korean regime. They achieve this by compromising policy analysts and experts. Successful compromises allow Kimsuky actors to develop more convincing spear-phishing emails for targeting higher-value individuals.

Kimsuky has also been associated with campaigns involving a C#-based remote access Trojan and information collector known as TutorialRAT. This malware uses Dropbox as a platform to launch attacks, aiming to evade threat detection. This campaign, reminiscent of APT43's BabyShark threat campaign, employs common spear-phishing techniques, including the use of shortcut (LNK) files.