The North Korean state-backed hacking team, also known as the Lazarus Group, has been traced to another financially motivated campaign that exploits a Trojan decentralized finance (DeFi) wallet application to distribute a complete backdoor on compromised Windows systems.
The app, which is equipped with features to register and manage a cryptocurrency wallet, is also designed to trigger the launch of the implant that can take control of the infected host. Russian cybersecurity firm Kaspersky said it first encountered the malicious app in mid-December 2021.
The app-initiated infection scheme also results in the deployment of the installer for a legitimate app, which is overwritten by a Trojan version in an attempt to cover its tracks. That said, the initial entry path is unclear, although it is suspected to be a case of social engineering.
The spawned malware, which impersonates Google’s Chrome web browser, then launches a wallet application designed for DeFiChain, while establishing connections to a remote domain controlled by the attacker and awaiting further instructions from the server .
Based on the response received from the command and control (C2) server, the Trojan proceeds to execute a wide range of commands, allowing it to collect system information, enumerate and terminate processes, delete files, launch new processes and save arbitrary files on the machine.
The C2 infrastructure used in this campaign consisted exclusively of previously compromised web servers located in South Korea, prompting the cybersecurity firm to work with the country’s Computer Emergency Response Team (KrCERT) to dismantle waiters.
The findings come more than two months after Kaspersky leaked details of a similar “SnatchCrypto” campaign mounted by the Lazarus subgroup tracking as BlueNoroff to drain digital funds from victims’ MetaMask wallets.
“For threat actor Lazarus, financial gain is a primary motivation, with a particular focus on cryptocurrency activity. As the price of cryptocurrency increases and the popularity of tokens non-fungible (NFT) and decentralized finance (DeFi) businesses continues to rise, the Lazarus Group’s focus on the financial sector continues to evolve,” Kaspersky GReAT researchers point out.
