North Korea always makes headlines for many negative reasons. From testing missiles to restricting citizens’ internet and media access, the country seems to outdo itself in the negative direction. Now, new reports have emerged that the Lazarus Hacker Group, purportedly sponsored by the North Korean government, has deployed new sophisticated viruses to steal cryptos.
On January 8, Kaspersky reported that the Lazarus group has doubled down its efforts to infect Windows and Mac users’ computers. For many months now, the group had been using a modified open-source crypto trading interface known as QtBitcoinTrader. They used it to deliver and execute malicious codes in what has popularly been referred to as “Operation AppleJeus,” as reported by Kaspersky in late August 2018.
The firm now reports that Lazarus has begun making changes to the malware. According to the anti-virus manufacturer, there is a new macOS and Windows virus known as UnionCryptoTrader. The new virus is based on the previously detected versions. Additionally, another new malware that is targeting Mac users is called MarkMakingBot. Kaspersky speculated that it is:
“An intermediate stage in significant changes to their macOS malware”
Various researchers also discovered Windows machines that were severely infected through a malicious file that was known as WFCUpdater. However, they did not identify the initial installer. According to Kaspersky, this infection originated from NET malware. The malware was disguised as a WFC wallet updater and distributed via a fake website.
This malware attacked and infected the PCs in several stages before it executed the group’s commands and permanently installed the payload.
Telegram Might Have Been The Conduit Of Spreading The Malware
Windows versions of UnionCryptoTrader were executed from Telegram’s download folder. Thus, researchers believe:
“With high confidence that the actor delivered the manipulated installer using the Telegram messenger”
An additional reason to believe that Telegram was used in the spreading of this malware is the presence of a Telegram group on the fake site. The interface of this program consisted of a graphical interface that showed the price of Bitcoin on multiple crypto exchanges.
On its part, the windows version of the UnionCryptoTrader malware initiates a tainted Internet Explorer process. After that, it is used to carry out the attacker’s commands. Kaspersky has also found various instances of the malware described in Poland, the United Kingdom, China, and Russia. The report reads:
“We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon. […] We assume this kind of attack on cryptocurrency businesses will continue and become more sophisticated.”
The Lazarus Group has in the past been known to attack crypto users. Reports from October 2018 revealed that the group had stolen up to $571 million in cryptos since early 2017. Kaspersky suggested in March last year that the group’s efforts to steal from crypto users were still ongoing. Furthermore, its tactics were evolving with their macOS virus also enhanced in October 2019.