Threat Research

Lazarus Trojanized DeFi app for delivering malware

Securonix

A Lazarus threat actor campaign used a Trojanized DeFi application to deliver a full-featured backdoor, targeting cryptocurrency and DeFi services through multi-stage C2 infrastructure hosted on South Korean servers. The backdoor communicates via HTTP with RC4 encryption and base64 encoding, gathers system information, and can execute commands, exfiltrate data, and delete traces; attribution links it to the CookieTime cluster and ThreatNeedle. #Lazarus #DeFiWalletTrojan #CookieTime #LCPDot #ThreatNeedle #KrCERT

Keypoints

  • Researchers uncovered a Trojanized DeFi application that drops a malicious backdoor when run, disguising itself as a legitimate DeFi Wallet tool.
  • The infection chain includes a Trojanized installer that overwrites a legitimate DeFi Wallet, enabling covertness and persistence of the backdoor.
  • Attackers used compromised web servers in South Korea to host a staged C2 infrastructure, with collaboration from KrCERT to investigate one Lazarus C2 server.
  • The backdoor supports extensive post-compromise actions: system info, drive/file/process enumeration, command execution, file operations, and selective data collection.
  • Communications with the C2 use HTTP with RC4-based encryption and base64 encoding, incorporating parameters such as jsessid and cookie to transmit data.
  • Attribution ties the activity to Lazarus and the CookieTime/LCPDot cluster, with overlaps to ThreatNeedle and Manuscrypt through similar C2 scripts and code reuse.

MITRE Techniques

  • [T1204.002] User Execution – Malicious File – “When executed, the app drops both a malicious file and an installer for a legitimate application, launching the malware with the created Trojanized installer path.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “Register dropped backdoor to the Run registry key.”
  • [T1070.004] Indicator Removal on Host: File Deletion – “The Trojanized application overwrites itself after creating a legitimate application to remove its trace.”
  • [T1070.006] Indicator Removal on Host: Timestomp – “Backdoor capable of timestomping specific files.”
  • [T1057] Process Discovery – “Enumerate processes.”
  • [T1082] System Information Discovery – “Gather IP address, computer name, OS version, and CPU architecture with backdoor.”
  • [T1083] File and Directory Discovery – “Enumerate files (with file name, size, time).”
  • [T1124] System Time Discovery – “Gather system information with backdoor.”
  • [T1071.001] Application Layer Protocol: Web Protocols – “Use HTTP as C2 channel with backdoor.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – “Use RC4 encryption and base64 with backdoor.”
  • [T1041] Exfiltration – Exfiltration Over C2 Channel – “Exfiltrates gathered data over C2 channels with backdoor.”

Indicators of Compromise

  • [Hash] Trojanized DeFi application – 0b9f4612cdfe763b3d8c8a956157474a, d65509f10b432f9bbeacfc39a3506e23, and 9 more hashes
  • [Hash] Dropped backdoor – d65509f10b432f9bbeacfc39a3506e23, 0b9f4612cdfe763b3d8c8a956157474a (and 7 more hashes)
  • [Domain] First-stage C2 domains – emsystec.com, bn-cosmo.com (and 4 more domains)
  • [URL] First-stage C2 URLs – http://emsystec[.]com/include/inc[.]asp, http://bn-cosmo[.]com/customer/board_replay[.]asp
  • [URL] Second-stage C2 URLs – http://softapp[.]co[.]kr/sub/cscenter/privacy[.]asp, http://gyro3d[.]com/mypage/faq[.]asp
  • [File Path] Dropped backdoor executable paths – %ProgramData%MicrosoftGoogleChrome.exe, %ProgramData%MicrosoftCM202025.exe

Read more: https://securelist.com/lazarus-trojanized-defi-app/106195/