Hackers associated with the North Korean government have been distributing a trojanized version of the DeFi Wallet for storing cryptocurrency assets to gain access to the systems of cryptocurrency users and investors.
The threat actor relied in this attack on web servers located in South Korea to push the malware and to communicate with the installed implants.
Fully functional backdoor
Researchers at cybersecurity company Kaspersky discovered recently a malicious variant of the DeFi Wallet app, which installed the legitimate application along with a backdoor disguised as the executable for the Google Chrome web browser.
The trojanized DeFi application came with a compilation date from November 2021 and added a full-featured backdoor when executed on the system.
It is unclear what distribution method the hackers used but phishing emails or contacting victims over social media are plausible scenarios.
According to the researchers, the malware planted this way has “sufficient capabilities to control” the victim host by executing Windows commands, deleting files, launching or terminating processes, enumerating files along with associated metadata, or connecting the computer to a given IP address.
Additional functions allow the malware operator to collect information about the system (IP, name, OS, CPU architecture) and the drives (type, free space available), download files from the command and control server (C2), and get a list of files stored in a specific location.
DPRK connections
Kaspersky researchers worked with the South Korea CERT (Computer Emergency Response Team) to take down some of the domains used in this campaign and could analyze and compare the C2 scripts.
The findings revealed overlaps with other operations from attackers linked to North Korea, generically referred to as the Lazarus group.
“We believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the CookieTime [malware]…
