Durian (Backdoor) – Malware

Overview

The North Korean threat group known as Kimsuky has recently deployed a newly discovered malware named Durian in targeted cyber attacks against two South Korean cryptocurrency companies. Durian is built in Golang and features robust backdoor capabilities, allowing it to execute commands, download additional files, and steal sensitive data through exfiltration.

Targets

South Korean crypto firms.

How they operate

The initial-stage malware acts as a conventional installer designed to deploy supplementary malware and establish a persistence mechanism. Upon execution, the installer generates a subsequent stage loader and adds it to the Windows service for automatic execution. The final payload in this sequence is a previously unknown Golang-based malware dubbed “Durian.” Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and file exfiltration. Using Durian, the operator employed various preliminary methods to maintain a connection with the victim. First, they introduced additional malware named “AppleSeed,” an HTTP-based backdoor commonly used by the Kimsuky group. Additionally, they incorporated legitimate tools, such as ngrok and Chrome Remote Desktop, along with a custom proxy tool, to access target machines. Ultimately, the actor deployed the malware to steal browser-stored data, including cookies and login credentials.

Significant Malware Campaigns

• The North Korean threat actor tracked as Kimsuky has been observed deploying a previously undocumented Golang-based malware dubbed Durian as part of highly-targeted cyber attacks aimed at two South Korean cryptocurrency firms. (May 2024)

References:

• North Korean Hackers Deploy New Golang Malware ‘Durian’ Against Crypto Firms
• APT trends report Q1 2024