Lazarus hacker gang goes after crypto

The infamous hacker gang Lazarus, known for its financial ambitions, has hit cryptocurrency businesses. It has developed new decentralized finance (DeFi) apps in order to increase profit. Lazarus abuses legitimate applications used to manage cryptocurrency wallets by distributing malware that provides control over victims’ systems.

The Lazarus group is one of the world’s most active Advanced Persistent Threat (APT) actors, operating since at least 2009. Unlike most state-sponsored APT groups, Lazarus and other threat actors associated with this APT have made financial gain one of their primary goals. As the cryptocurrency market grows along with the non-fungible token (NFT) and decentralized finance (DeFi) markets, Lazarus continues to find new ways to target cryptocurrency users.

In December 2021, Kaspersky researchers uncovered a new malware campaign, using a Trojanized DeFi app delivered by the Lazarus group, against cryptocurrency business. The application contains a legitimate program called DeFi Wallet, which saves and manages cryptocurrency wallets. When executed, the app drops a malicious file alongside the installer for the legitimate application, launching the malware with a Trojanized installer path. This generated malware then overwrites the legitimate application with the Trojanized application.

The malware used in this infection scheme is a full-featured backdoor with the capability of controlling the victim’s systems remotely. Once in control of the system, the attacker can delete files, gather information, connect to specific IP addresses and communicate with the C2 server. Based on the history of Lazarus’s attacks, researchers assume the motivation behind this campaign is financial gain. After looking into the functionalities of this backdoor, Kaspersky researchers have discovered numerous overlaps with other tools used by the Lazarus group, namely, the CookieTime and the ThreatNeedlemalware clusters. The multistage infection scheme is also heavily used in Lazarus’s infrastructure.

“We have observed Lazarus’s interest in the cryptocurrency industry for a while now and have seen that they have developed sophisticated methods for luring their victims in without drawing attention to the infection process,” says Seongsu Park, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

“Cryptocurrency and blockchain-based industries continue to evolve and attract higher levels of investment. Therefore, they attract not only scammers and phishers, but also ‘big game hunters’, including financially motivated APT groups. With the cryptocurrency market growing, we strongly believe Lazarus’s interest in the industry will not diminish any time soon.

“In a recent campaign, Lazarus abused a legitimate DeFi app by mimicking it and dropping malware, which is a common tactic used in crypto-hunting. That is why we urge companies to remain vigilant about unknown links and email attachments, as they may well be fraudulent, even if they appear familiar and safe.”

Learn more about Lazarus’s new campaign on Securelist.com.

To avoid falling victim to targeted attacks by known or unknown threat actors, Kaspersky researchers recommend, users should implement the following measures:

• Carry out a cybersecurity audit and constant monitoring of your networks to remediate any weaknesses or malicious elements discovered in the perimeter or inside the network.
• Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
• Educate your employees to download software and mobile apps only from trusted sources and official app stores.
• Use EDR product to enable timely incident detection and response to advanced threats. A service such as Kaspersky Managed Detection and Response provides threat hunting capabilities against targeted attacks. 
• Adopt an anti-fraud solution that can protect cryptocurrency transactions by detecting and preventing account theft, unbeknownst transactions and money laundering.