The Kimsuky hacker organisation, dubbed APT43, is based in North Korea and has recently gained attention for its cyberattacks against South Korean crypto companies. With the use of a Golang-based virus that was previously unreported, called Durian, Kimsuky has demonstrated its increasing level of competence in cyber warfare.

Durian: The Weapon of Choice

Durian, characterised by its comprehensive backdoor functionality, serves as the linchpin of Kimsuky’s recent offensive. This malware facilitates the execution of commands, facilitates additional file downloads, and enables the exfiltration of critical data, embodying a potent threat to its targets.

Our latest APT trends for Q1, 2024 if now live and includes a look at some of the more interesting APT activities revealed during Q1, including Careto APT reappearance, hacktivist activity, and much more.Full report ⇒ https://t.co/yTe8mxePF1 pic.twitter.com/37N8ZGliZA

— Kaspersky (@kaspersky) May 9, 2024

The attacks, spanning from August to November 2023, capitalised on a South Korean software exploit to gain initial access. Once embedded within the victim’s systems, Durian seamlessly integrates additional tools, including Kimsuky’s signature backdoor, AppleSeed and a bespoke proxy tool dubbed LazyLoad.

Unraveling Connections

Of particular interest is the link between LazyLoad and Andariel, a sub-group within the notorious Lazarus Group. This connection raises suspicions of shared tactics and collaboration among North Korean threat groups, hinting at a complex web of cyber operations orchestrated by the regime.

Kimsuky’s notoriety extends beyond its recent exploits, with a history of phishing attacks targeting cryptocurrencies. In a brazen move, the group impersonated South Korean government agencies and journalists to pilfer cryptocurrencies from unsuspecting victims, including retired government officials.

The recent wave of attacks underscores North Korea’s escalating involvement in cyber warfare, with reports indicating that such activities now constitute a significant portion of the regime’s foreign currency earnings. This revelation sheds light on the evolving strategies employed by state-backed threat actors to fund illicit activities.

North Korea’s Crypto Hacking Activity

In 2023, North Korea’s cryptocurrency hacking activities peaked, according to a Chainalysis analysis. According to the research, 20 cryptocurrency platforms were breached by hackers with ties to North Korea last year—the most between 2016 and 2023. The FBI asserts that a $100 million cryptocurrency robbery on the Horizon Bridge in 2022 was carried out by hackers with ties to North Korea.

According to a different analysis by blockchain analytics company TRM Labs, in 2023, North Korean hackers stole at least $600 million in cryptocurrency. The FBI said in September that around $41 million in cryptocurrency assets were stolen from Stake.com, a digital gambling and betting site, by North Korea’s Lazarus Group.

Sinbad.io, a virtual currency mixer for Lazarus Group, received a penalty from the U.S. Department of Treasury’s Office of Foreign Assets Control on November 29. Lazarus Group was in charge of laundering millions of dollars worth of cryptocurrency that was taken from the Horizon Bridge and Axie Infinity breaches.

According to earlier studies, hackers with ties to North Korea stole hundreds of millions of cryptocurrency to finance the country’s nuclear weapons projects. Several UN sanctions have been imposed on North Korea since its first nuclear test in 2006 in an effort to restrict the regime’s ability to get money for its nuclear program.

The Lazarus Connection

The nexus between Kimsuky and Lazarus, two of North Korea’s most notorious hacking groups, further amplifies concerns within the cybersecurity community. Lazarus, infamous for its extensive laundering of ill-gotten cryptocurrency, exemplifies the magnitude of the threat posed by North Korean state-sponsored cyber operations.

As the global community grapples with the implications of North Korea’s cyber aggression, the need for enhanced cybersecurity measures becomes paramount. The recent sanctions on crypto mixers and heightened scrutiny of privacy protocols underscore the urgency of fortifying defences against state-sponsored cyber threats.

The emergence of Durian and Kimsuky’s relentless pursuit of cryptocurrency assets underscores the evolving landscape of cyber warfare. As North Korea continues to leverage its cyber capabilities for financial gain, vigilance and collaboration among nations are essential to safeguarding against the ever-present threat posed by state-sponsored hacking groups.

Some of the Crypto Hacks of 2024

The 2024 cryptocurrency bull market is still booming, but fraudsters and hackers are coming back to target investor wallets, DeFi protocols, and centralised exchanges. Over $200 million worth of digital assets were stolen in 32 incidents in the first quarter of 2024 alone, a 15% rise over the same time in 2023. 

With 12 assaults accounting for more than 85% of the total value lost in Q1, Ethereum was the digital ledger that suffered the most. One significant event affected both the Bitcoin network and Binance’s BNB Chain. The biggest breach of the year occurred on the cryptocurrency gaming site PlayDapp, which lost $32.3 million in converted currency and $290 million in stolen funds. In the initial attack on February 9th, the attacker was able to create 200 million PLA tokens, which are valued at around $36.5 million.

At $26.1 million, FixedFloat had the second-biggest heist. The exchange’s smart contract had a vulnerability that was used to carry out the attack. The crypto exchange went into repair mode after first attributing the significant cash drain to “minor technical problems.” The company then refuted claims of insider participation and said that an outsider had taken advantage of security holes and weaknesses in the system to get access to the protocol’s key features.

A cyberattack on the South Korean blockchain enterprise Orbit Chain cost the company more than $80 million. The hack was blamed for the compromise of many signers, which gave the attacker access to multiple cryptocurrencies, such as wrapped Bitcoin (WBTC), Ether, and stablecoins (ETH). The aforementioned instance underscores the ongoing hazards linked to cryptocurrency security, specifically with multisig wallets and private key administration.

As of now, the stolen assets remain unmoved.Our team is constantly monitoring the stolen asset, and we promise to inform the community once the address associated with the stolen asset has taken action.

— Orbit Chain (@Orbit_Chain) January 2, 2024

A vulnerability in the Layer-1 Proof-of-Stake (PoS) blockchain Shido Hack led to the loss of almost $35 million worth of SHIDO tokens.

Hi @ShidoGlobal There is a sudden owner transfer to 0x1982. The new owner immediately upgrades the StakingV4Proxy contract with a hidden withdrawToken() function. This hidden function is then called to withdraw all 4,353,473,223.864904 $SHIDO.Here are related txs:– owner… https://t.co/TZ6oMDGwMG pic.twitter.com/VGZtyg9PEf

— PeckShield Inc. (@peckshield) February 29, 2024

Elizabeth Kerr, a crypto expert at Banklesstimes, believes that regulatory interventions and stricter compliance requirements have compelled crypto entities to prioritise security and adopt best practices in safeguarding user funds. She views the recent decline in hacks and exploits as a significant achievement for the crypto industry, especially considering the massive losses it faced just a few years ago, which led many to predict its downfall. Kerr sees this transformation as indicative of the growing maturity and resilience of the crypto industry.

The post Durian Unveiled: A Comprehensive Analysis of Kimsuky’s Cryptocurrency Cyber Arsenal and Its Impact on South Korean Crypto Companies appeared first on Metaverse Post.