Posted on April 2, 2022 at 2:13 PM
A recent report has revealed that threat actors linked with the Korean government are distributing a trojanized version of the DeFi Wallet. The hackers are using these wallets to gain access to devices and systems used by crypto holders and investors.
According to the report, the hackers took advantage of the attack on web servers in South Korea to plant the malware and communicate directly with the installed implants.
The North Korean hacking group, known as Lazarus Group, is using the campaign to gain financially. They are leveraging a trojanized DeFi wallet app to plant a full-featured backdoor into the compromised Windows machines.
The App Has Several Functionalities
The app is equipped with functionalities that can save and manage a crypto wallet. It can also trigger the release of the implant that takes control of the infected host. According to Russian security cybersecurity firm Kaspersky, the rogue application was first discovered in mid-December.
According to the report, the infection system the app initiated can lead to the deployment of the installer for a legitimate application. Here, a trojan can be used to overwrite the version to cover its tracks. But it’s not yet clear how the threat actors gain initial access, although some researchers suspect it to be through social engineering.
The Trojan Executes A Wide Range Of Commands
The spawned malware hides as a Google Chrome web browser and later launches a wallet app meant for the DeFiChain. It also establishes links to the remote attacker-controlled domain while collecting more instructions from the command ad control (C2) server.
.The trojan goes to execute a wide range of commands based on the information received from the C2 server. This grants it the capability to collect system information, delete files, terminate processes, save arbitrary files, and launch new processes.
The Kaspersky researchers noted that the C2 infrastructure utilized in the campaign consist of previously exposed web servers in South Korea. This prompted the researchers to collaborate with the country’s computer emergency response team to secure the servers.
The latest report on the North Korean group is coming two months after Kaspersky reported about a similar campaign known as “SnatchCrypto” organized by the same Lazarus Group. The hackers steal crypto funds from their victims’ MetaMask wallets.
Lazarus Group Looks For Financial Gains
Unlike some other state-sponsored hacking syndicates, the Lazarus group has financial gains as one of its major priorities. The group usually launches attacks with the hope of stealing cryptocurrencies from their victims. With the increase in the price of crypto-assets and the rise in popularity of nonfungible tokens (NFTs), the Lazarus group has intensified its efforts to target individuals and organizations in the financial industry, according to Kaspersky GReAT researchers.
The Threat Actors Used Fully Functional Backdoor
The Kaspersky researchers also noted that the threat actors used a fully-functional backdoor to carry out their actions and penetrate victims’ systems. The trojanized DeFi app came with a compilation date from November 2021 while adding a complete backdoor for execution on the system.
The researchers also stated that the malware delivered this way has complete invasive capabilities that allow it to carry out all sorts of activities on the victim’s computer or device.
Additional functions of the malware include collecting information about the system, including the computer’s CPU architecture, Operating System, as well as IP name. It also collects information about the types of drives and the free space available and downloads files for the C2 server. The malware is also capable of obtaining a list of files stored in a specific location.
Kaspersky and South Korean CERT Have Taken Down Some Domains
The collaboration between the South Korean CERT and Kaspersky researchers yielded some positive results as they were able to take down some of the domains used in the campaign. They also analyzed and compared the C2 scripts to gain more insights into the hacker’s capabilities and hacking methods.
Their findings showed that there are overlaps with other operations from threat actors linked to North Korea.
The Lazarus is a generic term used to refer to all threat activities from state-sponsored North Korean actors. It’s also worth noting that there are different threat groups under different governments or institutions of the country’s intelligence unit. Together, the different groups have compromised the servers of several organizations and institutions.