The Lazarus hacker group, which is allegedly sponsored by the North Korean authorities, has deployed new viruses to steal cryptocurrency.
Main cybersecurity agency Kaspersky reported on Jan. eight that Lazarus has doubled down its efforts to contaminate each Mac and Home windows customers’ computer systems.
The group had been utilizing a modified open-source cryptocurrency buying and selling interface referred to as QtBitcoinTrader to ship and execute malicious code in what has been referred to as “Operation AppleJeus,” as Kaspersky reported in late August 2018. Now, the agency experiences that Lazarus has began making adjustments to the malware.
Kaspersky recognized a brand new macOS and Home windows virus named UnionCryptoTrader, which is predicated on beforehand detected variations. One other new malware, concentrating on Mac customers, is called MarkMakingBot. The cybersecurity agency famous that Lazarus has been tweaking MarkMakingBot, and speculates that it’s “an intermediate stage in vital adjustments to their macOS malware.”
Researchers additionally discovered Home windows machines that had been contaminated by a malicious file referred to as WFCUpdater however had been unable to establish the preliminary installer. Kaspersky mentioned that the an infection began from .NET malware that was disguised as a WFC pockets updater and distributed by a faux web site.
The malware contaminated the PCs in a number of phases earlier than executing the group’s instructions and completely putting in the payload.
Attackers might have used Telegram to unfold malware
Home windows variations of UnionCryptoTrader had been discovered to be executed from Telegram’s obtain folder, main researchers to imagine “with excessive confidence that the actor delivered the manipulated installer utilizing the Telegram messenger.”
An additional cause to imagine that Telegram was used to unfold malware is the presence of a Telegram group on the faux web site. The interface of this system featured a graphical interface displaying the value of Bitcoin (BTC) on a number of cryptocurrency exchanges.
UnionCryptoTrader person interface screenshot. Supply: Kaspersky
The home windows model of UnionCryptoTrader initiates a tainted Web Explorer course of, which is then employed to hold out the attacker’s instructions. Kaspersky detected cases of the malware described above in the UK, Poland, Russia and China. The report reads:
“We imagine the Lazarus group’s steady assaults for monetary achieve are unlikely to cease anytime quickly. […] We assume this type of assault on cryptocurrency companies will proceed and turn out to be extra subtle.”
Lazarus has been identified to focus on crypto customers for a very long time. In October 2018, Cointelegraph reported that the group had stolen a staggering $571 million in cryptocurrencies since early 2017.
In March 2019, reports by Kaspersky prompt that the group’s efforts in concentrating on cryptocurrency customers had been nonetheless ongoing and its techniques had been evolving. Moreover, the group’s macOS virus was additionally enhanced in October final 12 months.