Trojanized DeFi app stealing cryptocurrency

Kaspersky recently announced that its researchers have uncovered a new malware campaign, using a Trojanized DeFi app delivered by the Lazarus group, against cryptocurrency business. The application contains a legitimate program called DeFi Wallet, which saves and manages cryptocurrency wallets.

When executed, the app drops a malicious file alongside the installer for the legitimate application, launching the malware with a Trojanized installer path. This generated malware then overwrites the legitimate application with the Trojanized application.

 The malware used in this infection scheme is a full-featured backdoor with the capability of controlling the victim’s systems remotely. Once in control of the system, the attacker can delete files, gather information, connect to specific IP addresses and communicate with the C2 server. Based on the history of Lazarus’s attacks, researchers assume the motivation behind this campaign is financial gain. After looking into the functionalities of this backdoor, Kaspersky researchers have discovered numerous overlaps with other tools used by the Lazarus group, namely, the CookieTime and the ThreatNeedle malware clusters. The multistage infection scheme is also heavily used in Lazarus’s infrastructure.

The advanced and persistent actor, Lazarus – infamous for its growing financial motivations, has hit cryptocurrency businesses with new, Trojanized decentralized finance (DeFi) apps in order to increase profit. Lazarus abuses legitimate applications used to manage cryptocurrency wallets by distributing malware that provides control over victims’ systems.

As the cryptocurrency market grows along with the non-fungible token (NFT) and decentralized finance (DeFi) markets, Lazarus has continues to find new ways to target cryptocurrency users.

“We have observed Lazarus’s interest in the cryptocurrency industry for a while now and have seen that they have developed sophisticated methods for luring their victims in without drawing attention to the infection process. Cryptocurrency and blockchain-based industries continue to evolve and attract higher levels of investment. Therefore, they attract not only scammers and phishers, but also ‘big game hunters’, including financially motivated APT groups. With the cryptocurrency market growing, we strongly believe Lazarus’s interest in the industry will not diminish any time soon. In a recent campaign, Lazarus abused a legitimate DeFi app by mimicking it and dropping malware, which is a common tactic used in crypto-hunting. That is why we urge companies to remain vigilant about unknown links and email attachments, as they may well be fraudulent, even if they appear familiar and safe,” comments Seongsu Park, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

To avoid falling victim to targeted attacks by known or unknown threat actors, Kaspersky researchers recommend implementing the following measures:

  • Carry out a cybersecurity audit and constant monitoring of your networks to remediate any weaknesses or malicious elements discovered in the perimeter or inside the network.
  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
  • Educate your employees to download software and mobile apps only from trusted sources and official app stores.
  • Use EDR product to enable timely incident detection and response to advanced threats. A service such as Kaspersky Managed Detection and Response provides threat hunting capabilities against targeted attacks. 
  • Adopt an anti-fraud solution that can protect cryptocurrency transactions by detecting and preventing account theft, unbeknownst transactions and money laundering.