The Kimsuky hacking group, also known as APT43, has been targeting South Korean crypto firms with cyberattacks using a new Golang-based malware known as Durian. This malware has comprehensive backdoor functionality, allowing the execution of commands, file downloads, and file exfiltration. The attacks took place between August and November 2023, with the group using a South Korean software exploit to gain initial access to the victim’s systems. Once the malware is operational, additional tools such as Kimsuky’s backdoor AppleSeed and a custom proxy tool named LazyLoad were deployed.
LazyLoad, a tool used by Kimsuky, is linked to Andariel, a sub-group within the Lazarus threat group, suggesting shared tactics among North Korean threat groups. Kimsuky has been active since at least 2012 and is believed to be under North Korea’s Reconnaissance General Bureau. The group is known for conducting phishing attacks via email to steal cryptocurrencies. In December 2023, they disguised themselves as South Korean government agency representatives and journalists to steal cryptocurrencies, with 1,468 people falling victim to their attacks between March and October 2023.
Some of the victims of Kimsuky’s phishing attacks included retired government officials from diplomacy, military, and national security sectors. The group has also targeted Russian aerospace defense companies during the coronavirus pandemic. RT-Inform, the IT security arm of the Russian state-owned tech agency Rostec, reported an increase in cyberattacks on their network between April and September 2020 but did not confirm or deny the reports of Kimsuky’s involvement. The state-backed hacking group continues to pose a threat to various organizations and individuals, utilizing sophisticated tactics to steal cryptocurrencies and sensitive information.
The use of new malware like Durian by the Kimsuky hacking group highlights the evolving nature of cyber threats and the need for organizations to enhance their cybersecurity measures. By targeting South Korean crypto firms and utilizing advanced tools like LazyLoad and AppleSeed, Kimsuky demonstrates their ability to adapt and innovate in their cyberattacks. The group’s connection to other North Korean threat groups like Andariel and Lazarus further emphasizes the coordinated efforts of state-backed actors in carrying out malicious activities.
The phishing attacks conducted by Kimsuky through email impersonation tactics show their willingness to exploit social engineering techniques to deceive victims and gain access to sensitive information. With victims ranging from government officials to individuals in the cryptocurrency sector, the group’s reach is extensive, posing a significant threat to cybersecurity globally. Organizations and individuals must remain vigilant and implement robust cybersecurity measures to defend against evolving threats posed by sophisticated threat actors like Kimsuky.
