The Lazarus Group, the government-backed North Korean hacking group, has been identified as operating an attack campaign that uses trojanized decentralized finance (DeFi) wallet app to spread a feature-loaded backdoor in affected Windows systems. 

The app has features to save and manage a cryptocurrency wallet, and the app can also trigger the launch of the implant that can seize the infected host. Kaspersky, a Russian cybersecurity firm, said it first came across the rogue application in mid-December 2021.

The app in course of infection also deploys the installer for a legitimate application and it gets overwritten with a trojanized version to cover its tracks. That said, the initial access point is ambiguous although it may be because of social engineering. 

The malware conceals itself as Google’s Chrome web browser, after which it initiates a wallet app built for the DeFiChain, while also linking to a remote attacker-controlled domain and awaiting instructions from the server. 

The trojan executes a wide range of commands based on the response received from the command-and-control server. The attacker can collect system information, itemise and end the processes, delete files, start new processes and save arbitrary files on the computer.

The C2 infrastructure used in this campaign comprises previously affected web servers located in South Korea, pushing the cybersecurity company to work with the country’s computer emergency response team (KrCERT) to knock down the servers.

The findings come more than two months after Kaspersky disclosed details of a similar “SnatchCrypto” campaign mounted by the Lazarus sub-group tracked as BlueNoroff to drain digital funds from victims’ MetaMask wallets.

“For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving,” Kaspersky GReAT researchers pointed out.”