The Lazarus hacker grouping, which is allegedly sponsored by the North Korean government, has deployed new viruses to steal cryptocurrency.

Major cybersecurity firm Kaspersky reported on January. 8 that Lazarus has doubled down its efforts to infect both Mac and Windows users' computers.

The grouping had been using a modified open-source cryptocurrency trading interface called QtBitcoinTrader to deliver and execute malicious code in what has been called "Performance AppleJeus," as Kaspersky reported in late August 2022. Now, the firm reports that Lazarus has started making changes to the malware.

Kaspersky identified a new macOS and Windows virus named UnionCryptoTrader, which is based on previously detected versions. Some other new malware, targeting Mac users, is named MarkMakingBot. The cybersecurity firm noted that Lazarus has been tweaking MarkMakingBot, and speculates that it is "an intermediate stage in significant changes to their macOS malware."

Researchers too found Windows machines that were infected through a malicious file called WFCUpdater but were unable to identify the initial installer. Kaspersky said that the infection started from .Cyberspace malware that was bearded every bit a WFC wallet updater and distributed through a fake website.

The malware infected the PCs in several stages before executing the group's commands and permanently installing the payload.

Attackers may have used Telegram to spread malware

Windows versions of UnionCryptoTrader were found to be executed from Telegram's download folder, leading researchers to believe "with high confidence that the thespian delivered the manipulated installer using the Telegram messenger."

A farther reason to believe that Telegram was used to spread malware is the presence of a Telegram group on the simulated website. The interface of the program featured a graphical interface showing the price of Bitcoin (BTC) on several cryptocurrency exchanges.

UnionCryptoTrader user interface screenshot

UnionCryptoTrader user interface screenshot. Source: Kaspersky

The windows version of UnionCryptoTrader initiates a tainted Internet Explorer process, which is then employed to carry out the aggressor'south commands. Kaspersky detected instances of the malware described above in the United Kingdom, Poland, Russian federation and China. The report reads:

"We believe the Lazarus group'southward continuous attacks for financial gain are unlikely to stop anytime soon. [...] Nosotros assume this kind of attack on cryptocurrency businesses will continue and become more sophisticated."

Lazarus has been known to target crypto users for a long time. In Oct 2022, Cointelegraph reported that the group had stolen a staggering $571 one thousand thousand in cryptocurrencies since early on 2022.

In March 2022, reports by Kaspersky suggested that the group'south efforts in targeting cryptocurrency users were nevertheless ongoing and its tactics were evolving. Furthermore, the grouping's macOS virus was also enhanced in Oct last twelvemonth.