North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims’ Crypto

The North Kore­an state-backed hack­ing crew, oth­er­wise known as the Lazarus Group, has been attrib­uted to yet anoth­er finan­cial­ly moti­vat­ed cam­paign that lever­ages a tro­janized decen­tral­ized finance (DeFi) wal­let app to dis­trib­ute a ful­ly-fea­tured back­door onto com­pro­mised Win­dows systems.

The app, which is equipped with func­tion­al­i­ties to save and man­age a cryp­tocur­ren­cy wal­let, is also designed to trig­ger the launch of the implant that can take con­trol of the infect­ed host. Russ­ian cyber­se­cu­ri­ty firm Kasper­sky said it first encoun­tered the rogue appli­ca­tion in mid-Decem­ber 2021.

The infec­tion scheme ini­ti­at­ed by the app also results in the deploy­ment of the installer for a legit­i­mate appli­ca­tion, which gets over­writ­ten with a tro­janized ver­sion in an effort to cov­er its tracks. That said, the ini­tial access avenue is unclear, although it’s sus­pect­ed to be a case of social engineering.

The spawned mal­ware, which mas­quer­ades as Google’s Chrome web brows­er, sub­se­quent­ly launch­es a wal­let app built for the DeFiChain, while also estab­lish­ing con­nec­tions to a remote attack­er-con­trolled domain and await­ing fur­ther instruc­tions from the server.

Based on the response received from the com­mand-and-con­trol (C2) serv­er, the tro­jan pro­ceeds to exe­cute a wide range of com­mands, grant­i­ng it the abil­i­ty to col­lect sys­tem infor­ma­tion, enu­mer­ate and ter­mi­nate process­es, delete files, launch new process­es, and save arbi­trary files on the machine.

The C2 infra­struc­ture used in this cam­paign exclu­sive­ly con­sist­ed of pre­vi­ous­ly com­pro­mised web servers locat­ed in South Korea, prompt­ing the cyber­se­cu­ri­ty com­pa­ny to work with the coun­try’s com­put­er emer­gency response team (KrCERT) to dis­man­tle the servers.

The find­ings come more than two months after Kasper­sky dis­closed details of a sim­i­lar “Snatch­Cryp­to” cam­paign mount­ed by the Lazarus sub-group tracked as BlueNo­roff to drain dig­i­tal funds from vic­tims’ Meta­Mask wallets.

“For the Lazarus threat actor, finan­cial gain is one of the prime moti­va­tions, with a par­tic­u­lar empha­sis on the cryp­tocur­ren­cy busi­ness. As the price of cryp­tocur­ren­cy surges, and the pop­u­lar­i­ty of non-fun­gi­ble token (NFT) and decen­tral­ized finance (DeFi) busi­ness­es con­tin­ues to swell, the Lazarus group’s tar­get­ing of the finan­cial indus­try keeps evolv­ing,” Kasper­sky GReAT researchers point­ed out.