A state-backed North Korean hacking team, also known as the Lazarus Group, has been linked to another financially motivated campaign that uses a decentralized finance (DeFi) wallet Trojan application to spread a fully functional backdoor to compromised Windows systems.
The app, equipped with features for saving and managing a cryptocurrency wallet, is also designed to launch an implant that an infected host can take control of. Russian cybersecurity company Kaspersky Lab said it first encountered the rogue app in mid-December 2021.
The infection scheme initiated by the application also results in the deployment of the legitimate application’s installer, which is overwritten by the Trojan version to cover its tracks. However, the original access path is unclear, although it is suspected to be a case of social engineering.
The generated malware, which masquerades as the Google Chrome web browser, subsequently launches a wallet application built for DeFiChain and also establishes connections to a remote domain controlled by the attacker and waits for further instructions from the server.
Based on the response received from the command and control (C2) server, the Trojan proceeds to execute a wide range of commands, giving it the ability to collect system information, list and end processes, delete files, start new processes, and store arbitrary files on the machine.
The C2 infrastructure used in this campaign consisted solely of previously compromised web servers located in South Korea, prompting the cybersecurity company to work with the National Computer Emergency Response Team (KrCERT) to take down the servers.
The findings come more than two months after Kaspersky Lab revealed details of a similar “SnatchCrypto” campaign organized by a Lazarus subgroup tracked as BlueNoroff to withdraw digital funds from victims’ MetaMask wallets.
“For the Lazarus attacker, financial gain is one of the main motives, with a particular focus on the cryptocurrency business. As the price of cryptocurrencies rises, and the popularity of non-fungible tokens (NFT) and decentralized finance (DeFi) businesses continues to grow, the Lazarus group’s focus on the financial industry continues to evolve,” Kaspersky GReAT researchers note.