{"id":19551,"date":"2022-04-20T15:12:26","date_gmt":"2022-04-20T11:12:26","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/lazarus-defi-wallet-backdoor\/19551\/"},"modified":"2022-04-20T15:12:26","modified_gmt":"2022-04-20T11:12:26","slug":"lazarus-defi-wallet-backdoor","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/lazarus-defi-wallet-backdoor\/19551\/","title":{"rendered":"Lazarus backdoor in DeFi wallet"},"content":{"rendered":"

In mid-December last year, a suspicious file was uploaded to VirusTotal \u2014 the online service that scans files for malware. At first glance, it looked like a cryptocurrency wallet installer. But our experts analyzed it<\/a> and found that, besides the wallet, it delivers malware to a user\u2019s device. And it seems that the program isn\u2019t the work of small-time crooks \u2014 but the infamous cybercriminals behind Lazarus<\/a>.<\/p>\n

What is Lazarus?<\/h2>\n

Lazarus is an APT group<\/a>. Such groups are cybercriminal organizations that are typically well-funded, develop complex malware, and specialize in targeted attacks<\/a> \u2014 for example for industrial or political espionage. Stealing money, if it interests them at all, is not usually their primary goal.<\/p>\n

Lazarus, however, is an APT group that actively goes after other people\u2019s money. In 2016, for example, the group made off with a tidy sum<\/a> from the Central Bank of Bangladesh; in 2018 it infected a cryptocurrency exchange<\/a> with malware; and in 2020 it tried its hand at ransomware<\/a>.<\/p>\n

DeFi wallet with backdoor<\/h2>\n

The file that caught our researchers\u2019 collective eye contained an infected installer for a legitimate decentralized crypto wallet. DeFi (decentralized finance) is a financial model in which there are no intermediaries like banks, and all transactions are made directly between users. In recent years, DeFi technology has been gaining popularity. According to Forbes, for instance, from May 2020 to May 2021 the value of assets placed in DeFi systems increased by 88 times<\/a>. Not surprisingly then, DeFi is attracting cybercriminal interest.<\/p>\n

How exactly cybercriminals persuade victims to download and run the infected file is not entirely clear. However, our experts suppose that attackers send users targeted e-mails<\/a> or messages in social media. Unlike mass mailings, such messages are tailored to a specific recipient and can look very plausible.<\/p>\n

In any case, when the user runs the installer, it creates two executables: one \u2014 a malicious program, the other \u2014 a clean crypto wallet installer. The malware masks itself as the Google Chrome browser and tries to hide the existence of the infected installer by copying a clean installer in its place, which it runs immediately so that the user doesn\u2019t suspect anything. Once the wallet is successfully installed, the malware continues to run in the background.<\/p>\n

How dangerous is it?<\/h2>\n

The malware that gets slipped onto the computer with the DeFi wallet is a backdoor<\/a>. Depending on the operator\u2019s intentions, the backdoor can either harvest information or provide remote control over the device. Specifically, it can:<\/p>\n