Kimsuky observed deploying new Durian malware

Kaspersky's APT trends report for the first quarter highlighted the emergence of a new threat from the North Korean threat group Kimsuky, in the form of a new sophisticated malware named Durian, which the group has used in targeted cyberattacks against South Korean cryptocurrency firms, reports The Hacker News.

Durian exhibits extensive backdoor capabilities, enabling command execution, file downloads, and data exfiltration. According to Kaspersky, the attacks occurred in August and November 2023 and utilized legitimate South Korean software for infiltration, although specifics remain unclear.

Upon connection to the attacker's server, the malware initiates a sequence, installing additional malware for persistence and executing Durian. The Golang-based Durian, in turn, facilitates the deployment of various malicious tools, including AppleSeed and a custom proxy tool named LazyLoad, for stealing data, particularly browser-stored information like cookies and login credentials.

The use of LazyLoad suggests a potential collaboration between Kimsuky and Andariel, a sub-cluster within the Lazarus Group. Kimsuky, also known as APT43, has been active since at least 2012, operating under various aliases and associated with North Korea's Reconnaissance General Bureau.