The Lazarus hacker group, which is allegedly sponsored by the North Korean authorities, has deployed new viruses to steal cryptocurrency.Main cybe
The Lazarus hacker group, which is allegedly sponsored by the North Korean authorities, has deployed new viruses to steal cryptocurrency.
Main cybersecurity agency Kaspersky reported on Jan. eight that Lazarus has doubled down its efforts to contaminate each Mac and Home windows customers’ computer systems.
The group had been utilizing a modified open-source cryptocurrency buying and selling interface known as QtBitcoinTrader to ship and execute malicious code in what has been known as “Operation AppleJeus,” as Kaspersky reported in late August 2018. Now, the agency studies that Lazarus has began making modifications to the malware.
Kaspersky recognized a brand new macOS and Home windows virus named UnionCryptoTrader, which relies on beforehand detected variations. One other new malware, focusing on Mac customers, is known as MarkMakingBot. The cybersecurity agency famous that Lazarus has been tweaking MarkMakingBot, and speculates that it’s “an intermediate stage in vital modifications to their macOS malware.”
Researchers additionally discovered Home windows machines that have been contaminated by way of a malicious file known as WFCUpdater however have been unable to establish the preliminary installer. Kaspersky mentioned that the an infection began from .NET malware that was disguised as a WFC pockets updater and distributed by way of a pretend web site.
The malware contaminated the PCs in a number of phases earlier than executing the group’s instructions and completely putting in the payload.
Attackers might have used Telegram to unfold malware
Home windows variations of UnionCryptoTrader have been discovered to be executed from Telegram’s obtain folder, main researchers to imagine “with excessive confidence that the actor delivered the manipulated installer utilizing the Telegram messenger.”
An extra cause to imagine that Telegram was used to unfold malware is the presence of a Telegram group on the pretend web site. The interface of this system featured a graphical interface exhibiting the value of Bitcoin (BTC) on a number of cryptocurrency exchanges.
UnionCryptoTrader consumer interface screenshot. Supply: Kaspersky
The home windows model of UnionCryptoTrader initiates a tainted Web Explorer course of, which is then employed to hold out the attacker’s instructions. Kaspersky detected cases of the malware described above in the UK, Poland, Russia and China. The report reads:
“We imagine the Lazarus group’s steady assaults for monetary achieve are unlikely to cease anytime quickly. […] We assume this type of assault on cryptocurrency companies will proceed and grow to be extra refined.”
Lazarus has been recognized to focus on crypto customers for a very long time. In October 2018, Cointelegraph reported that the group had stolen a staggering $571 million in cryptocurrencies since early 2017.
In March 2019, reports by Kaspersky urged that the group’s efforts in focusing on cryptocurrency customers have been nonetheless ongoing and its techniques have been evolving. Moreover, the group’s macOS virus was additionally enhanced in October final 12 months.