The North Korean state-backed hacking crew, otherwise known as the Lazarus Group, has been attributed to yet another financially motivated campaign that leverages a trojanized decentralized finance (DeFi) wallet app to distribute a fully-featured backdoor onto compromised Windows systems.
The app, which is equipped with functionalities to save and manage a cryptocurrency wallet, is also designed to trigger the launch of the implant that can take control of the infected host. Russian cybersecurity firm Kaspersky said it first encountered the rogue application in mid-December 2021.
The app’s infection also leads to the installation of an installer for legitimate applications, which is then overwritten by a trojanized copy in order to hide its tracks. Although it is suspected that this was social engineering, the original access route to the app remains unclear.
The spawned malware, which masquerades as Google’s Chrome web browser, subsequently launches a wallet app built for the DeFiChain, while also establishing connections to a remote attacker-controlled domain and awaiting further instructions from the server.
Based on the response received from the command-and-control (C2) server, the trojan proceeds to execute a wide range of commands, granting it the ability to collect system information, enumerate and terminate processes, delete files, launch new processes, and save arbitrary files on the machine.
The C2 infrastructure used in this campaign exclusively consisted of previously compromised web servers located in South Korea, prompting the cybersecurity company to work with the country’s computer emergency response team (KrCERT) to dismantle the servers.
These revelations come two months after Kaspersky revealed details about a “SnatchCrypto” campaign by the Lazarus subgroup, BlueNoroff, to steal digital funds from victim’s MetaMask wallets.
“For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving,” Kaspersky GReAT researchers pointed out.