JAKARTA - APT (Advanced Persistent Threats) actor, Lazarus, has hit the cryptocurrency business by trojanizing a new decentralized financial application (DeFi) to reap profits.
The Lazarus Group is one of the most active APT actors in the world having been in operation since at least 2009. Unlike most state-sponsored APT groups, Lazarus and other threat actors associated with this APT have made financial gain one of their main motives.
In December 2021, Kaspersky researchers discovered a new malware campaign, in which the Lazarus group sent a trojanized DeFi application to cryptocurrency businesses. This app contains a legitimate program called DeFi Wallet, which stores and manages cryptocurrency wallets.
When run, the app drops both malicious files as well as installers for legitimate apps, eventually launching malware with the Trojan installer path. The malware then overwrites the legitimate application with the trojaned application.
The malware used in this infection scheme is a full-featured backdoor with the ability to remotely control the victim's system. After taking control of the system, attackers can delete files, collect information, connect to specific IP addresses, and communicate with C2 servers.
Based on the history of the Lazarus attacks, researchers think the motivation behind this campaign is none other than financial gain. After looking at the functionality of this backdoor, Kaspersky researchers found a lot of overlap with other tools used by the Lazarus group, namely, the CookieTime and ThreatNeedle malware clusters. Multistage infection schemes are also widely used in Lazarus infrastructure.
“We have observed the Lazarus group's high interest in the cryptocurrency industry for a while and also watched how they developed sophisticated methods to lure victims without drawing attention to the infection process,” said Seongsu Park, a senior security researcher at the Global Research and Analysis Team (GReAT) Kaspersky, in a statement received by VOI, Monday, April 4.
SEE ALSO:
Seongsu Park added that the cryptocurrency and blockchain-based industry is constantly evolving and attracting higher levels of investment. Therefore, they are not only attractive to scammers and phishers, but also 'big hunters', including the financially motivated APT group.
“With the growth of the cryptocurrency market, we strongly believe Lazarus' interest in this industry will not diminish in the near future. In a recent campaign, Lazarus abused legitimate DeFi apps by imitating them and dropping malware, and this is a common tactic used in the crypto hunt.”
That's why Kaspersky urges companies to stay alert to unknown email links and attachments. "Because it has the potential to be fake, even though it looks familiar and safe," he said.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)