A North Korean threat actor tracked as Kimsuky has been observed deploying previously undocumented Golang-based malware. Dorian As part of a highly targeted cyber attack targeting two South Korean crypto companies.
“Durian has comprehensive backdoor capabilities that allow it to execute provided commands, download additional files, and extract files,” Kaspersky said in its Q1 2024 APT Trends report. Masu.
The attacks, which occurred in August and November 2023, used legitimate South Korean-specific software as an infection vector, but the exact mechanism used to manipulate the program is currently unknown.
What is known is that this software establishes a connection to the attacker's server, leading to the acquisition of a malicious payload that begins the infection sequence.
In the first stage, it acts as an installer for additional malware and as a means to establish persistence on the host. It also paves the way for his malware loader that will eventually run Durian.
Meanwhile, Durian was used to deploy more malware, including AppleSeed, Kimsuky's go-to backdoor of choice, a custom proxy tool known as LazyLoad, and other legitimate tools such as ngrok and Chrome Remote Desktop. It has been.
“Ultimately, the attackers implanted malware and stole data stored in the browser, including cookies and login credentials,” Kaspersky said.
A notable aspect of this attack was the use of LazyLoad, which was previously used by Andariel, a subcluster within the Lazarus Group, raising the possibility of potential cooperation or tactical overlap between the two threat actors. I am.
The Kimsuky group is known to have been active since at least 2012 and is also responsible for malicious cyber operations such as APT43, Black Banshee, Emerald Sleet (formerly known as Thallium), Springtail, TA427, and Velvet Chollima.
It is assessed to be a subordinate element of the 63rd Research Center, an element within the Reconnaissance General Bureau (RGB), the Hermit Kingdom's highest military intelligence organization.
In a warning, the Federal Bureau of Investigation (FBI) and National Security Agency (NSA) said, “Kimsky's primary mission was to compromise policy analysts and other experts, recovering stolen data and valuable information.'' “It's about providing geopolitical insight to the North Korean regime.” Early this month.
“A successful compromise would allow Kimsuky attackers to create more reliable and effective spear phishing emails, which they could exploit against more sensitive and high-value targets.”
According to Symantec, a Broadcom company, the nation-state adversary is running a campaign to distribute a C#-based remote access Trojan and information-stealing tool called TutorialRAT that uses Dropbox as an “attack base to evade threat monitoring.” He also said he was involved.
“This campaign appears to be an extension of APT43's BabyShark threat campaign and uses typical spear phishing techniques, including the use of shortcut (LNK) files,” it added.
This development was reported by the AhnLab Security Intelligence Center (ASEC) as being orchestrated by another North Korean state-sponsored hacking group called ScarCruft, which targeted South Korean users using Windows Shortcut (LNK) files leading to the introduction of RokRAT. This was carried out as details of the campaign were revealed.
The hostile group, also known as APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, works with North Korea's Ministry of State Security (MSS) and is said to be tasked with gathering secret intelligence in support of the nation's strategic military and political interests. It is said. , and economic benefits.
“Recently identified shortcut files (*.LNK) have been found to target users in South Korea, particularly those associated with North Korea,” ASEC said.
