DPRK hackers go after crypto assets using trojanized DeFi Wallet app

silversurfer

Level 84
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,577
Hackers associated with the North Korean government have been distributing a trojanized version of the DeFi Wallet for storing cryptocurrency assets to gain access to the systems of cryptocurrency users and investors.

The threat actor relied in this attack on web servers located in South Korea to push the malware and to communicate with the installed implants.

Researchers at cybersecurity company Kaspersky discovered recently a malicious variant of the DeFi Wallet app, which installed the legitimate application along with a backdoor disguised as the executable for the Google Chrome web browser.

The trojanized DeFi application came with a compilation date from November 2021 and added a full-featured backdoor when executed on the system.
Kaspersky researchers worked with the South Korea CERT (Computer Emergency Response Team) to take down some of the domains used in this campaign and could analyze and compare the C2 scripts.

The findings revealed overlaps with other operations from attackers linked to North Korea, generically referred to as the Lazarus group.

“We believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the CookieTime [malware] cluster,” Kaspersky