朝鲜黑客使用新的Golang恶意软件'Durian'攻击加密货币公司

The North Korean threat actor tracked as Kimsuky has been observed deploying a previously undocumented Golang-based malware dubbed Durian as part of highly-targeted cyber attacks aimed at two South Korean cryptocurrency firms.

作为Kimsuky跟踪的朝鲜威胁行为者，已经发现部署了一种名为Durian的以Golang为基础的先前未记录的恶意软件，作为针对两家韩国加密货币公司的高度定向网络攻击的一部分。

"Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files," Kaspersky said in its APT trends report for Q1 2024.

"Durian拥有全面的后门功能，可执行传送命令、额外文件下载以及文件外泄，" 卡巴斯基在其2024年第一季度APT趋势报告中表示。

The attacks, which occurred in August and November 2023, entailed the use of legitimate software exclusive to South Korea as an infection pathway, although the precise mechanism used to manipulate the program is currently unclear.

这些攻击发生在2023年8月和11月，攻击利用了韩国独有的合法软件作为感染途径，尽管目前尚不清楚用于操纵该程序的确切机制。

What's known is that the software establishes a connection to the attacker's server, leading to the retrieval of a malicious payload that kicks off the infection sequence.

已知的是该软件建立与攻击者服务器的连接，导致检索恶意有效载荷，从而启动感染序列。

The first-stage serves as an installer for additional malware and a means to establish persistence on the host. It also paves the way for a loader malware that eventually executes Durian.

首阶段作为附加恶意软件的安装程序和在主机上建立持久性的手段。它还为最终执行Durian的加载程序铺平了道路。

Durian, for its part, is employed to introduce more malware, including AppleSeed, Kimsuky's staple backdoor of choice, a custom proxy tool known as LazyLoad, as well as other legitimate tools like ngrok and Chrome Remote Desktop.

至于Durian，它被用于引入更多恶意软件，包括AppleSeed，Kimsuky的首选后门，一个名为LazyLoad的自定义代理工具，以及其他合法工具如ngrok和Chrome远程桌面。

"Ultimately, the actor implanted the malware to pilfer browser-stored data including cookies and login credentials," Kaspersky said.

"最终，行为者植入了恶意软件以窃取浏览器存储的数据，包括cookie和登录凭据，" 卡巴斯基表示。

A notable aspect of the attack is the use of LazyLoad, which has been previously put to use by Andariel, a sub-cluster within the Lazarus Group, raising the possibility of a potential collaboration or a tactical overlap between the two threat actors.

攻击中一个值得注意的方面是LazyLoad的使用，该工具此前已被Lazarus组织的一个子集Andariel使用，引发了两个威胁行为者之间潜在合作或战术重叠的可能性。

The Kimsuky group is known to be active since at least 2012, with its malicious cyber activities also monitored under the names APT43, Black Banshee, Emerald Sleet (formerly Thallium), Springtail, TA427, and Velvet Chollima.

Kimsuky团体自至少2012年以来就一直活跃，其恶意网络活动也以APT43、Black Banshee、Emerald Sleet（前身为Thallium）、Springtail、TA427和Velvet Chollima等名称被监控。

It is assessed to be a subordinate element to the 63rd Research Center, a department within the Reconnaissance General Bureau (RGB), the hermit kingdom's premier military intelligence organization.

它被评估为63研究中心的下属部门，该中心是朝鲜隐士王国的首要军事情报组织中的一个部门。

"Kimsuky actors' primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts," the U.S. Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) said in an alert earlier this month.

"Kimsuky行动人员的主要任务是通过攻击政策分析师和其他专家来窃取数据和有价值的地缘政治见解，" 美国联邦调查局（FBI）和国家安全局（NSA）本月早些时候在一份警报中表示。

"Successful compromises further enable Kimsuky actors to craft more credible and effective spear-phishing emails, which can then be leveraged against more sensitive, higher-value targets."

"成功的侵犯进一步使Kimsuky行动人员能够制作更可信和有效的矛头钓鱼电子邮件，然后可以针对更敏感、更高价值的目标进行利用。"

The nation-state adversary has also been linked to campaigns that deliver a C#-based remote access trojan and information stealer called TutorialRAT that utilizes Dropbox as a "base for their attacks to evade threat monitoring," Broadcom-owned Symantec said.

这个国家对手还与传递基于C#的远程访问木马和名为TutorialRAT的信息窃取者的活动联系在一起，后者利用Dropbox作为"基地进行攻击以逃避威胁监控，" 归属于Broadcom的赛门铁克表示。

"This campaign appears to be an extension of APT43's BabyShark threat campaign and employs typical spear-phishing techniques, including the use of shortcut (LNK) files," it added.

"这个活动似乎是APT43的BabyShark威胁活动的延伸，采用典型的矛头钓鱼技术，包括使用快捷方式（LNK）文件。"

The development comes as the AhnLab Security Intelligence Center (ASEC) detailed a campaign orchestrated by another North Korean state-sponsored hacking group called ScarCruft that's targeting South Korean users with Windows shortcut (LNK) files that culminate in the deployment of RokRAT.

随着安全实验室安全情报中心（ASEC）详细描述了由另一个名为ScarCruft的朝鲜国家支持黑客组织策划的一场针对韩国用户的活动，该活动利用Windows快捷方式（LNK）文件，最终部署了RokRAT。

The adversarial collective, also known as APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is said to be aligned with North Korea's Ministry of State Security (MSS) and tasked with covert intelligence gathering in support of the nation's strategic military, political, and economic interests.

这个敌对集体，也被称为APT37、InkySquid、RedEyes、Ricochet Chollima和Ruby Sleet，据称与朝鲜的国家安全部（MSS）对齐，并负责秘密情报收集，以支持该国的战略军事、政治和经济利益。

"The recently confirmed shortcut files (*.LNK) are found to be targeting South Korean users, particularly those related to North Korea," ASEC said.

"最近确认的快捷方式文件（*.LNK）被发现针对韩国用户，特别是与朝鲜有关的用户，" ASEC 说。

参考资料

[1]https://thehackernews.com/2024/05/north-korean-hackers-deploy-new-golang.html

原文始发于微信公众号（知机安全）：朝鲜黑客使用新的Golang恶意软件'Durian'攻击加密货币公司