Hackers linked to the North Korean government have been infecting cryptocurrency investors and users through Defi Wallet to gain access to their systems. The servers are based in South Korea through which cybercriminals are communicating and deploying malware.
How DeFi Wallet Infecting Users?
The Researchers at Kaspersky cybersecurity company identified a malicious copy of the DeFi Wallet application that was compiled in November 2021. Which installs a legitimate application along with the backdoor disguised as an executable file.
This malware is a full-featured backdoor that can be used to control the person who has been hacked. After we looked into how this backdoor worked, we found that it had a lot in common with other tools used by the Lazarus group.
It isn’t clear how the hackers spread the malware, but phishing emails and social media could be the most possible scenarios.
Researchers say the malware can “Control” the victim host by running Windows commands, deleting files, starting and stopping processes, enumerating files and their metadata, or remotely accessing the target hosts.
The malware can gather information about targeted system hardware (such as its IP Address, OS, CPU Arch), downloading files from specific locations by running commands.
South Korea CERT (Computer Emergency Response Team)
To evaluate and compare the C2 scripts, Kaspersky researchers worked with the South Korean CERT (Computer Emergency Response Team). The findings indicated a link with past attacks by North Korean cybercriminals known as the Lazarus group.
“We believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the CookieTime [malware] cluster,” Kaspersky
The Japan CERT has linked the CookieTime malware cluster to the DPRK operation Dream Job, which lured victims with bogus job offers from well-known enterprises.
Google’s Threat Analysis Group (TAG) discovered recent Dream Job activity earlier this month, targeting individuals working for news media, IT firms, cryptocurrencies, and financial institutions.
Kaspersky also states that the CookieTime cluster is linked to the Lazarus group’s Manuscrypt and ThreatNeedle clusters. Many functionalities and variable names are the same between the present trojanized DeFiWallet malware app and other North Korean spyware.
North Korean Lazarus Cybercriminals Group
Lazarus is the generic term for all potential attacks from state-sponsored North Korean groups. However, the DPRK is home to several cybercriminal organizations, each of which is based within a distinct institution or department of the country’s intelligence infrastructure.
Over the course of 16 months, Mandiant analysts gathered information on the organization of the DPRK’s cyber programs through tracking cyber activity, OSINT surveillance, defector reports, and imaging analysis.
According to their map, the 3rd Bureau (Foreign Intelligence) of the country’s Reconnaissance General Bureau is believed to be responsible for pursuing cryptocurrency heists (RGB).
BlueNoroff, a North Korean hacking squad, has been blamed for infecting the MetaMask DeFi wallet, which Kaspersky says is identical to the latest behavior detected.
Technical information about the backdoor and how it trojanized DeFi app was shared by the researchers. They also shared indicators of compromise for the malware and the compromised first-stage C2 servers used in the attack.