Lazarus Using Trojanized DeFi App to Deliver Malware

Lazarus Using Trojanized DeFi App to Deliver Malware
Legitimate DeFi Wallet Also Implants a Malicious File When Executed
Prajeet Nair (@prajeetspeaks) • April 1, 2022
Credit Eligible
Lazarus Using Trojanized DeFi App to Deliver Malware
A legitimate program called DeFi Wallet is hijacked to implant a malicious file. (Source: Kaspersky)
North Korean advanced persistent threat group Lazarus has emerged with a fresh spear-phishing campaign that uses a Trojanized DeFi application containing a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

In a report, researchers at cybersecurity firm Kaspersky say that Lazarus - an entity sanctioned by the U.S. and the United Nations and tied to North Korea's primary intelligence agency, the Reconnaissance General Bureau - exclusively used compromised web servers located in South Korea for this attack.

In 2016, the group launched an attack on Bangladesh Bank that resulted in the theft of $81 million. The attackers planted malware on Bangladesh Bank's systems, using it to hide fraudulent money-moving messages they sent from the bank to the Federal Reserve Bank of New York via the SWIFT interbank messaging system (see: Bangladesh Bank Sues to Recover Funds After Cyber Heist).

"For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group's targeting of the financial industry keeps evolving," the Kaspersky report says.

Trojanized Application
The researchers say the Trojanized DeFi application they discovered was compiled in November 2021. They say: "In the middle of December 2021, we noticed a suspicious file uploaded to VirusTotal. At first glance, it looked like a legitimate application related to decentralized finance (DeFi); however, looking closer we found it initiating an infection scheme."

When the suspicious file was executed, it dropped a malicious file and an installer for a legitimate application and launched the malware with the Trojanized installer path. The, spawned malware overwrites the legitimate application with the Trojanized application, the researchers say.

During this process, the researchers say that the Trojanized application gets removed from the disk, thereby removing any traces of its existence.

"This malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim. After looking into the functionalities of this backdoor, we discovered numerous overlaps with other tools used by the Lazarus group," the researchers say.

Kaspersky researchers say that they worked with KrCERT, the National Computer Emergency Response Team in Korea, and had the opportunity to investigate a Lazarus group C2 server.

They found that the threat actors also configured this infrastructure with servers set up as multiple stages.

They say the first stage is the source for the backdoor, and the second stage servers communicate with the implants - a common scheme used in Lazarus infrastructure.


Infection timeline (Source: Kaspersky Labs)
Initial Infection
Researchers suspect the threat actors either tricked victims into executing the Trojanized application via a spear-phishing email or contacted victims through social media.

The installation package was disguised as a DeFi Wallet program and contained a legitimate binary repackaged with the installer. Upon execution, it acquired the next-stage malware path and decrypted it with a 1-byte XOR (key: 0x5D).

"In the process of creating this next malware stage, the installer writes the first eight bytes including the 'MZ' header to the file GoogleChrome.exe and pushes the remaining 71,164 bytes from the data section of the Trojanized application. Next, the malware loads the resource CITRIX_MEETINGS from its body and saves it to the path C:ProgramDataMicrosoftCM202025.exe. The resulting file is a legitimate DeFi Wallet application," the researchers say.

The researchers say they have high confidence that the Lazarus group is linked with this malware, especially after they identified similar malware in the CookieTime cluster - a malware cluster the Lazarus group used until recently.

"We've seen Lazarus group target the defense industry using the CookieTime cluster with a job opportunity decoy. The backdoor discovered in the latest investigation and the previously discovered Trojanized application are almost identical. They share, among other things, the same C2 communication method, backdoor functionalities, random number generation routine and the same method to encrypt communication data," the researchers say.

They say the CookieTime cluster has ties with the Manuscrypt and ThreatNeedle clusters, which have also been attributed to the Lazarus group.

The C2 scripts used show several overlaps with the ThreatNeedle cluster, and the researchers were able to uncover all function and variable names, which they say proves that the operators recycled the code base and generated corresponding C2 scripts for the malware.

Targeting Crypto Startups and More
In January, Kaspersky published new research about BlueNoroff, a suspected North Korea-backed nation-state group victimizing small and midsized cryptocurrency startups in a campaign called "SnatchCrypto." (See: North Korean APTs Target Cryptocurrency Startups).

The researchers say the tactics leveraged by the attackers are "extensive and dangerous," and that the latest SnatchCrypto campaign operates through social engineering tactics, such as impersonating phony crypto-related companies or major venture capital firms. Then, attackers contact individuals via social media - usually Twitter or LinkedIn, providing a means to infect the user's device through spear-phishing, and ultimately breach the organization's network, they say.

"The startup crypto sphere was chosen by cybercriminals for a reason: Startups often receive letters or files from unfamiliar sources," the researchers say, which allows the attackers to more easily transfer infected files.

In October 2021, the group was also reportedly developing supply chain attack capabilities, using its multiplatform malware framework, MATA, for cyberespionage goals (see: Lazarus Adds Supply Chain Attack to List of Capabilities).

Blockchain security firm Chainalysis says that the North Korean regime's state-backed hackers stole nearly $400 million in crypto-assets last year - hitting investment firms and centralized exchanges (see: North Korean Crypto Theft Totals $400 Million in 2021).

Observing Patterns
"Criminal organizations, including ransomware gangs such as the North Korean-based Lazarus, continue to exhibit certain patterns of behavior when they attempt to obfuscate the source of stolen cryptocurrency, including swapping ERC-20 tokens via a decentralized exchange or using a bitcoin mixer," says William Callahan, director of government and strategic affairs for Blockchain Intelligence Group.

Callahan, a former U.S. Department of Justice law enforcement official, also says: "By identifying prior criminal activity and the wallets associated with cryptocurrency transactions, blockchain analytics tools can be used to identify cryptocurrency off-ramps and obfuscation techniques." When they are coupled with evidence and intelligence learned from prior hacks, he says, "these tools can also provide a visual road map for the movement of stolen funds, create opportunities to freeze or seize assets, and hold bad actors accountable for their crimes."