North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms

The North Korean APT group Kimsuky has been observed by Kaspersky deploying a previously undocumented Golang-based malware dubbed Durian in targeted cyberattacks against two South Korean cryptocurrency firms. Kaspersky states that Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files. The attacks occurred in August and November 2023 and utilized legitimate software exclusive to South Korea as an infection pathway. The software establishes a connection to the attackers C2 server to retrieve the malicious payload and initiate the first stage of malware in the attack chain. However, its unclear precisely how they manipulate and abuse this legitimate software. The first stage is for installing additional malware and establishing a foothold on the host. A loader malware then executes the Durian backdoor which is employed to download more malware including the AppleSeed backdoor and a proxy tool called LazyLoad. They also abuse Chrome Remote Desktop. The goal of this campaign was to pilfer browser data including cookies and credentials to gain valuable geopolitical insight and utilize them to compromise targets that are more informationally lucrative.

Security Officer Comments:
Kimsuky group has been active since 2012. We are witnessing a surge in North Korean state-sponsored activity recently. AhnLab Security Intelligence Center (ASEC) detailed a campaign in a report published April 26th, 2024 which was orchestrated by another North Korean state-sponsored hacking group called ScarCruft that's targeting South Korean users with Windows shortcut (LNK) files that culminate in the deployment of a RokRAT malware. AppleSeed is a tool historically associated with the Kimsuky group leading researchers to attribute this attack to them with high confidence. The custom proxy tool known as LazyLoad has been utilized in the past by a cluster group within Lazarus Group, another North Korean APT group. This suggests the possibility of collaboration or an overlap in technique between these nation-state actors. It may be insightful to further investigate the tactics shared between these threat actors.

Suggested Corrections:
Recommendations regarding defending against APT groups:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.