![]() ![]() The malware ( d65509f10b432f9bbeacfc39a3506e23) generated by the above Trojanized application is disguised as a benign instance of the Google Chrome browser. Malware creation diagram Backdoor creation Eventually, it executes the previously created malware with its file name as a parameter:Ĭ:\ProgramData\Microsoft\GoogleChrome.exe “” ![]() ![]() The resulting file is a legitimate DeFi Wallet application. Next, the malware loads the resource CITRIX_MEETINGS from its body and saves it to the path C:\ProgramData\Microsoft\CM202025.exe. In the process of creating this next malware stage, the installer writes the first eight bytes including the ‘MZ’ header to the file GoogleChrome.exe and pushes the remaining 71,164 bytes from the data section of the Trojanized application. Upon execution, it acquires the next stage malware path (C:\ProgramData\Microsoft\GoogleChrome.exe) and decrypts it with a one-byte XOR (Key: 0x5D). This installation package is disguised as a DeFi Wallet program containing a legitimate binary repackaged with the installer. ![]() The hitherto unknown infection procedure starts with the Trojanized application. While it’s still unclear how the threat actor tricked the victim into executing the Trojanized application ( 0b9f4612cdfe763b3d8c8a956157474a), we suspect they sent a spear-phishing email or contacted the victim through social media. Through this process, the Trojanized application gets removed from the disk, allowing it to cover its tracks. Then, the spawned malware overwrites the legitimate application with the Trojanized application. When executed, the app drops both a malicious file and an installer for a legitimate application, launching the malware with the created Trojanized installer path. At first glance, it looked like a legitimate application related to decentralized finance (DeFi) however, looking closer we found it initiating an infection scheme. In the middle of December 2021, we noticed a suspicious file uploaded to VirusTotal. This is a common scheme used in Lazarus infrastructure. The first stage is the source for the backdoor while the goal of the second stage servers is to communicate with the implants. The threat actor configured this infrastructure with servers set up as multiple stages. To take over the servers, we worked closely with the KrCERT and, as a result of this effort, we had an opportunity to investigate a Lazarus group C2 server. The malware operator exclusively used compromised web servers located in South Korea for this attack. After looking into the functionalities of this backdoor, we discovered numerous overlaps with other tools used by the Lazarus group. This malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed. We recently discovered a Trojanized DeFi application that was compiled in November 2021. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving. For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |