Lazarus Trojanized DeFi app for delivering malware

2022-03-31 • Kaspersky •

https://securelist.com/lazarus-trojanized-defi-app/106195/

#DeFi #Lazarus #T1082 #T1070.004 #T1041 #T1071.001 #T1083 #T1204.002 #T1124 #T1057 #T1547.001 #T1573.001 #T1070.006

Thumbnail for Lazarus Trojanized DeFi app for delivering malware

Kaspersky found a Lazarus-linked Trojanized DeFi Wallet application compiled in November 2021 that installed a legitimate-looking cryptocurrency wallet while dropping a full-featured backdoor. The infection chain wrote a disguised GoogleChrome.exe payload under C:\ProgramData\Microsoft, executed a legitimate DeFi Wallet component to deceive the user, and removed traces of the original Trojanized installer. The backdoor used configurable C2 addresses, a hard-coded beacon value, RC4 plus base64 encoding, and POST parameters such as jsessid and jcookie to communicate with compromised South Korean web servers. Its command set supported system and drive enumeration, process control, command execution, file download and exfiltration, timestamp changes, secure deletion, configuration updates, and process creation, showing Lazarus’ continued interest in cryptocurrency and DeFi targets for financial gain.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	5b831eaed711d5c4bc19d7e75fcaf46e	2022-03-31	2022-03-31
HASH	d35a9babbd9589694deb4e87db222606	2022-03-31	2022-03-31
HASH	77ff51bfce3f018821e343c04c698c0e	2022-03-31	2022-03-31
HASH	b7092df99ece1cdb458259e0408983c7	2022-03-31	2022-03-31
HASH	47b73a47e26ba18f0dba217cb47c1e16	2022-03-31	2022-03-31
HASH	70bcafbb1939e45b841e68576a320603	2022-03-31	2022-03-31
HASH	3f4cf1a8a16e48a866aebd5697ec107b	2022-03-31	2022-03-31
HASH	a4873ef95e6d76856aa9a43d56f639a4	2022-03-31	2022-03-31
HASH	d65509f10b432f9bbeacfc39a3506e23	2022-03-31	2022-03-31
HASH	d90d267f81f108a89ad728b7ece38e70	2022-03-31	2022-03-31
HASH	0b9f4612cdfe763b3d8c8a956157474a	2022-03-31	2022-03-31
HASH	8e302b5747ff1dcad301c136e9acb4b0	2022-03-31	2022-03-31
URL	http://emsystec.com/include/inc…	2022-03-31	2022-03-31
URL	http://www.newbusantour.co.kr/g…	2022-03-31	2022-03-31
URL	http://www.syadplus.com/search/…	2022-03-31	2022-03-31
URL	http://gyro3d.com/mypage/faq.asp	2022-03-31	2022-03-31
URL	http://softapp.co.kr/sub/cscent…	2022-03-31	2022-03-31
URL	http://bn-cosmo.com/customer/bo…	2022-03-31	2022-03-31
URL	http://www.gyro3d.com/common/fa…	2022-03-31	2022-03-31
URL	http://ilovesvc.com/HomePage1/I…	2022-03-31	2022-03-31
DOMAIN	gyro3d.com	2022-03-31	2022-03-31
DOMAIN	emsystec.com	2022-03-31	2022-03-31
DOMAIN	softapp.co.kr	2022-03-31	2022-03-31
DOMAIN	bn-cosmo.com	2022-03-31	2022-03-31
DOMAIN	roit.co.kr	2021-02-25	2022-03-31
DOMAIN	edujikim.com	2021-01-25	2022-03-31
DOMAIN	ilovesvc.com	2019-01-30	2022-03-31

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2021-12-02 • 61% Match

APT Profile: Who is Lazarus Group?

SOCRadar

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865

Shares tags: Lazarus, T1082, T1070.004

2021-02-25 • 58% Match

Lazarus targets defense industry with ThreatNeedle

Kaspersky

#ThreatNeedle #Defense #Lazarus #T1082 #T1059.003 #T1140 #T1070.004 #T1041 #T1071.001 #T1112 #T1083 #T1204.002 #T1566.002 #T1057 #T1547.001 #T1135 #T1070.002 #T1049 #T1132.002 #T1016 #T1036.004 #T1090.001 #T1036.003 #T1560.001 #T1021.002 #T1033 #T1569.002 #T1543.003 #T1104 #T1557.001 #T1070.003 #T1007 #T1572

Shares tags: Lazarus, T1082, T1070.004 • Shares 1 IOC • Same author: Kaspersky

2025-08-13 • 53% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tags: Lazarus, T1082, T1070.004

2024-07-19 • 53% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Lazarus, T1082, T1070.004

2025-04-24 • 48% Match

Lazarus APT updates its toolset in watering hole attacks

Kaspersky

#ThreatNeedle #LPEClient #SIGNBT #AGAMEMNON #Lazarus #Innorix #SyncHole #CrossEX #T1027.013 #T1082 #T1140 #T1071.001 #T1083 #T1057 #T1583.003 #T1583.001 #T1105 #T1620 #T1574.002 #T1135 #T1573.001 #T1190 #T1189 #T1049 #T1573.002 #T1016 #T1087.001 #T1218.011 #T1584.001 #T1574.001 #T1564.004 #T1027.009 #T1569.002 #T1543.003 #T1087.002 #T1570 #T1608.004 #T1547.005 #T1007

Shares tags: Lazarus, T1082, T1071.001 • Same author: Kaspersky

2025-08-25 • 47% Match

GolangGhost - Comprehensive Threat Intelligence Report

Bloo

#Lazarus #GolangGhost #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1115 #T1083 #T1056.001 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1497.001 #T1219 #T1574.002 #T1562.001 #T1622 #T1027.002 #T1573.001 #T1190 #T1123 #T1132.002 #T1564.001 #T1548.002 #T1055.012 #T1027.007 #T1217 #T1106 #T1027.009 #T1036.003 #T1055.002 #T1036.007 #T1059.010 #T1136.001 #T1134.004 #T1614.001 #T1574.007 #T1098.007 #T1010 #T1071.004 #T1021.002 #T1021.006

Shares tags: Lazarus, T1070.004, T1041

« Back