Lazarus Trojanized DeFi app for delivering malware
Contents
For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving.
We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed. This malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim. After looking into the functionalities of this backdoor, we discovered numerous overlaps with other tools used by the Lazarus group.
The malware operator exclusively used compromised web servers located in South Korea for this attack. To take over the servers, we worked closely with the KrCERT and, as a …
We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed. This malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim. After looking into the functionalities of this backdoor, we discovered numerous overlaps with other tools used by the Lazarus group.
The malware operator exclusively used compromised web servers located in South Korea for this attack. To take over the servers, we worked closely with the KrCERT and, as a …
IoC
0b9f4612cdfe763b3d8c8a956157474a
3f4cf1a8a16e48a866aebd5697ec107b
47b73a47e26ba18f0dba217cb47c1e16
5b831eaed711d5c4bc19d7e75fcaf46e
70bcafbb1939e45b841e68576a320603
77ff51bfce3f018821e343c04c698c0e
8e302b5747ff1dcad301c136e9acb4b0
a4873ef95e6d76856aa9a43d56f639a4
b7092df99ece1cdb458259e0408983c7
d35a9babbd9589694deb4e87db222606
d65509f10b432f9bbeacfc39a3506e23
d90d267f81f108a89ad728b7ece38e70
http://bn-cosmo.com/customer/board_replay.asp
http://edujikim.com/pay_sample/INIstart.asp
http://emsystec.com/include/inc.asp
http://gyro3d.com/mypage/faq.asp
http://ilovesvc.com/HomePage1/Inquiry/privacy.asp
http://roit.co.kr/xyz/adminer/edit_fail_decoded.asp
http://softapp.co.kr/sub/cscenter/privacy.asp
http://www.gyro3d.com/common/faq.asp
http://www.newbusantour.co.kr/gallery/left.asp
http://www.syadplus.com/search/search_00.asp
https://github.com/DeFiCh/app
3f4cf1a8a16e48a866aebd5697ec107b
47b73a47e26ba18f0dba217cb47c1e16
5b831eaed711d5c4bc19d7e75fcaf46e
70bcafbb1939e45b841e68576a320603
77ff51bfce3f018821e343c04c698c0e
8e302b5747ff1dcad301c136e9acb4b0
a4873ef95e6d76856aa9a43d56f639a4
b7092df99ece1cdb458259e0408983c7
d35a9babbd9589694deb4e87db222606
d65509f10b432f9bbeacfc39a3506e23
d90d267f81f108a89ad728b7ece38e70
http://bn-cosmo.com/customer/board_replay.asp
http://edujikim.com/pay_sample/INIstart.asp
http://emsystec.com/include/inc.asp
http://gyro3d.com/mypage/faq.asp
http://ilovesvc.com/HomePage1/Inquiry/privacy.asp
http://roit.co.kr/xyz/adminer/edit_fail_decoded.asp
http://softapp.co.kr/sub/cscenter/privacy.asp
http://www.gyro3d.com/common/faq.asp
http://www.newbusantour.co.kr/gallery/left.asp
http://www.syadplus.com/search/search_00.asp
https://github.com/DeFiCh/app