Lazarus backdoor in DeFi wallet

The Lazarus group continues to prey on cryptocurrency: cybercriminals distribute DeFi wallets with built-in backdoor.

DeFi wallet with Lazarus backdoor

In mid-December last year, a suspicious file was uploaded to VirusTotal — the online service that scans files for malware. At first glance, it looked like a cryptocurrency wallet installer. But our experts analyzed it and found that, besides the wallet, it delivers malware to a user’s device. And it seems that the program isn’t the work of small-time crooks — but the infamous cybercriminals behind Lazarus.

What is Lazarus?

Lazarus is an APT group. Such groups are cybercriminal organizations that are typically well-funded, develop complex malware, and specialize in targeted attacks — for example for industrial or political espionage. Stealing money, if it interests them at all, is not usually their primary goal.

Lazarus, however, is an APT group that actively goes after other people’s money. In 2016, for example, the group made off with a tidy sum from the Central Bank of Bangladesh; in 2018 it infected a cryptocurrency exchange with malware; and in 2020 it tried its hand at ransomware.

DeFi wallet with backdoor

The file that caught our researchers’ collective eye contained an infected installer for a legitimate decentralized crypto wallet. DeFi (decentralized finance) is a financial model in which there are no intermediaries like banks, and all transactions are made directly between users. In recent years, DeFi technology has been gaining popularity. According to Forbes, for instance, from May 2020 to May 2021 the value of assets placed in DeFi systems increased by 88 times. Not surprisingly then, DeFi is attracting cybercriminal interest.

How exactly cybercriminals persuade victims to download and run the infected file is not entirely clear. However, our experts suppose that attackers send users targeted e-mails or messages in social media. Unlike mass mailings, such messages are tailored to a specific recipient and can look very plausible.

In any case, when the user runs the installer, it creates two executables: one — a malicious program, the other — a clean crypto wallet installer. The malware masks itself as the Google Chrome browser and tries to hide the existence of the infected installer by copying a clean installer in its place, which it runs immediately so that the user doesn’t suspect anything. Once the wallet is successfully installed, the malware continues to run in the background.

How dangerous is it?

The malware that gets slipped onto the computer with the DeFi wallet is a backdoor. Depending on the operator’s intentions, the backdoor can either harvest information or provide remote control over the device. Specifically, it can:

  • Start and terminate processes;
  • Execute commands on the device;
  • Download files to the device, delete them, and send files from the device to the C&C server.

In other words, in case of a successful attack, the malware can disable the antivirus and steal whatever it likes — from valuable documents to accounts and money. It can also download other malicious programs to the computer as the cybercriminals see fit. As ever, more details are available in the technical breakdown of the Trojan on our expert blog Securelist.

How not to fall victim

If you handle finances, and especially cryptocurrency, be wary of messages that try to persuade you to install programs from untrusted sources. In addition, make sure your devices are secure — in particular those you use for cryptocurrency transactions. A reliable security solution will help in cases when simple attentiveness isn’t enough.