Security News > 2022 > March > DPRK hackers go after crypto assets using trojanized DeFi Wallet app
Hackers associated with the North Korean government have been distributing a trojanized version of the DeFi Wallet for storing cryptocurrency assets to gain access to the systems of cryptocurrency users and investors.
Researchers at cybersecurity company Kaspersky discovered recently a malicious variant of the DeFi Wallet app, which installed the legitimate application along with a backdoor disguised as the executable for the Google Chrome web browser.
"We believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the CookieTime [malware] cluster," Kaspersky.
The CookieTime malware cluster is also known as LCPDot by Japan CERT and has been connected with the DPRK operation Dream Job, which lured victims with fake job offers from prominent companies.
The connections between the current trojanized DeFiWallet app and other malware attributed to North Korean hackers extend not only to the malware code but also to the C2 scripts, which share many functions and variable names.
The researchers published technical details on the backdoor and how it spawned from the trojanized DeFi application and shared indicators of compromise for the malware and the compromised legitimate first-stage C2 servers used for the attack.