Security News > 2022 > March > DPRK hackers go after crypto assets using trojanized DeFi Wallet app
Hackers associated with the North Korean government have been distributing a trojanized version of the DeFi Wallet for storing cryptocurrency assets to gain access to the systems of cryptocurrency users and investors.
Researchers at cybersecurity company Kaspersky discovered recently a malicious variant of the DeFi Wallet app, which installed the legitimate application along with a backdoor disguised as the executable for the Google Chrome web browser.
"We believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the CookieTime [malware] cluster," Kaspersky.
The CookieTime malware cluster is also known as LCPDot by Japan CERT and has been connected with the DPRK operation Dream Job, which lured victims with fake job offers from prominent companies.
The connections between the current trojanized DeFiWallet app and other malware attributed to North Korean hackers extend not only to the malware code but also to the C2 scripts, which share many functions and variable names.
The researchers published technical details on the backdoor and how it spawned from the trojanized DeFi application and shared indicators of compromise for the malware and the compromised legitimate first-stage C2 servers used for the attack.
News URL
Related news
- Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining (source)
- North Korean hackers employ new tactics to compromise crypto-related businesses (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)