In any case, when the user runs the installer, it creates two executables: one - a malicious program, the other - a clean crypto wallet installer. Unlike mass mailings, such messages are tailored to a specific recipient and can look very plausible. However, our experts suppose that attackers send users targeted e-mails or messages in social media. How exactly cybercriminals persuade victims to download and run the infected file is not entirely clear. Not surprisingly then, DeFi is attracting cybercriminal interest. According to Forbes, for instance, from May 2020 to May 2021 the value of assets placed in DeFi systems increased by 88 times. In recent years, DeFi technology has been gaining popularity. DeFi (decentralized finance) is a financial model in which there are no intermediaries like banks, and all transactions are made directly between users. The file that caught our researchers’ collective eye contained an infected installer for a legitimate decentralized crypto wallet. In 2016, for example, the group made off with a tidy sum from the Central Bank of Bangladesh in 2018 it infected a cryptocurrency exchange with malware and in 2020 it tried its hand at ransomware. Lazarus, however, is an APT group that actively goes after other people’s money. Stealing money, if it interests them at all, is not usually their primary goal. Such groups are cybercriminal organizations that are typically well-funded, develop complex malware, and specialize in targeted attacks - for example for industrial or political espionage. And it seems that the program isn’t the work of small-time crooks - but the infamous cybercriminals behind Lazarus. But our experts analyzed it and found that, besides the wallet, it delivers malware to a user’s device. At first glance, it looked like a cryptocurrency wallet installer. In mid-December last year, a suspicious file was uploaded to VirusTotal - the online service that scans files for malware.
KasperskyPremium Support and Professional Services.