- North Korean hackers deploying “Durian” malware targeting South Korean crypto firms.
- The resurgence of dormant hackers like Careto underscores the evolving cybersecurity landscape.
- Hacktivist groups like SiegedSec escalate offensive operations amidst global socio-political events.
The first quarter of 2024 has proven particularly eventful, with notable findings and trends emerging from the frontline of cyber security. From the deployment of sophisticated malware variants to the resurgence of long-dormant threat actors, the landscape of cyber threats continues to shape-shift, presenting new challenges for security experts worldwide.
A recent report by the Global Research and Analysis Team (GReAT) at Kaspersky made a striking revelation shedding light on the activities of various advanced persistent threat (APT) groups.
The Durian malware targeting South Korean crypto firms
Among the findings made by GReAT is the emergence of the “Durian” malware, attributed to the North Korean hacking group Kimsuky. It has been used to target South Korean cryptocurrency firms and it has a high level of sophistication, boasting comprehensive backdoor functionality.
The Durian malware’s deployment marks a notable escalation in the cyber capabilities of Kimsuky, showcasing their ability to exploit vulnerabilities within the supply chain of targeted organizations.
By infiltrating legitimate security software exclusive to South Korean crypto firms, Kimsuky demonstrates a calculated approach to circumventing traditional security mechanisms. This modus operandi highlights the need for enhanced vigilance and proactive security strategies within the cryptocurrency sector, where the stakes are exceptionally high.
The connection between Kimsuky and the Lazarus Group
The Kaspersky report further unveils a nuanced connection between Kimsuky and another North Korean hacking consortium, the Lazarus Group. While historically distinct entities, the utilization of similar tools such as LazyLoad suggests a potential collaboration or tactical alignment between these crypto-threat actors.
This discovery underscores the interconnected nature of cyber threats, where alliances and partnerships can amplify the impact of malicious activities.
Resurgence of dormant crypto hacking groups
In parallel, the APT trends report reveals a resurgence of long-dormant threat actors, such as the Careto group, whose activities were last observed in 2013.
Despite years of dormancy, Careto resurfaced in 2024 with a series of targeted campaigns, employing custom techniques and sophisticated implants to infiltrate high-profile organizations. This resurgence serves as a stark reminder that cyber threats never truly disappear; they merely adapt and evolve.
Other crypto hacking groups terrorising the world
The Kaspersky report also highlights the emergence of new malware campaigns targeting government entities in the Middle East, such as “DuneQuixote”. Characterized by sophisticated evasion techniques and practical evasion methods, these campaigns underscore the evolving tactics of threat actors in the region.
There is also the emergence of the “SKYCOOK” implant utilised by the Oilrig APT to target internet service providers in the Middle East.
Meanwhile, in Southeast Asia and the Korean Peninsula, the activities of threat actors like DroppingElephant continue to pose significant challenges. Leveraging malicious RAT tools and exploiting platforms like Discord for distribution, these actors demonstrate a multifaceted approach to cyber espionage. The use of legitimate software as initial infection vectors further complicates detection and mitigation efforts, highlighting the need for enhanced threat intelligence and collaboration among stakeholders.
On the hacktivism front, groups like SiegedSec have ramped up their offensive operations, targeting companies and government infrastructure in pursuit of social justice-related goals. With a focus on hack-and-leak operations, these groups leverage current socio-political events to amplify their message and impact.
