The Lazarus hacker group which is allegedly sponsored by the North Korean government, has deployed new viruses to steal cryptocurrency. Security researchers from Kaspersky Labs reported on January 8 that the hacker group has doubled its effort to infect both Mac and Windows computers.
Moreover, Kaspersky also noted that the group is using a different approach in its latest campaign to steal cryptocurrencies. Initially, the group had been using a modified open-source cryptocurrency trading platform dubbed QtBitcoinTrader to spread and execute malicious code in what has been called “Operation AppleJeus,” according to Kaspersky back in August 2018.
In addition, Kaspersky’s researchers discovered a new macOS and Windows virus called UnionCryptoTrader. It was based on previously detected versions. MarkMakingBot is another new malware targeting Mac users. Kaspersky claimed that Lazarus has been modifying MarkMakingBot, and notes that it is “an intermediate stage in significant changes to their macOS malware.”
Furthermore, Researchers also identified Windows computers that were infected through a malware file named WFCUpdater. However, they were unable to discover the initial installer. The cybersecurity firm noted that the infection commenced from .NET malware that was disguised as a WFC wallet updater and spread through a fake website. The malware infected the machines in several stages before executing the hacker’s commands and permanently installing the payload.
Lazarus May have Used Telegram to Spread the Malware
Additionally, the Windows versions of UnionCryptoTrader were discovered to be executed through Telegram’s download folder. This lead Kaspersky to believe “with high confidence that the actor delivered the manipulated installer using the Telegram messenger.”
Moreover, there is a Telegram group on the fake website that further strengthens the case. The interface of the program shows a graphical image showing the price of Bitcoin on several cryptocurrency exchange platforms. The report by Kaspersky Labs reads:
“We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon. […] We assume this kind of attack on cryptocurrency businesses will continue and become more sophisticated.”
In conclusion, back in March 2019, Kaspersky suggested that the group’s malicious efforts in targeting cryptocurrency users were still in progress and its methods were evolving. The group also further upgraded its MacOS malware back in October 2019.