A group of Lazarus hackers, allegedly sponsored by the North Korean government, used new viruses to steal crypto.
A major cyber security company, Kaspersky, reported on January 8th that Lazarus has redoubled its efforts to infect Mac and Windows users' computers.
The group was using a modified open-source interface for crypto trading called QtBitcoinTrader to deliver and execute malicious code in the so-called "Operation AppleJeus", as Kaspersky reported in late August 2018. The company now reports that Lazarus has begun making changes to the malware.
Kaspersky has identified a new virus in MacOS and Windows called UnionCryptoTrader, which is based on previously detected versions. Another new malware, targeted at Mac users, is called MarkMakingBot. The cybercriminal company noted that Lazarus is improving MarkMakingBot and speculates that it is "an intermediate step in making significant changes to their malware on MacOS".
The researchers also found Windows machines that had been infected by a malicious file called WFCUpdater, but were unable to identify the initial installer. Kaspersky said the infection started with the .NET malware, which was masked as a WFC wallet update and distributed through a fake website.
The malware infected computers in several stages before the group's commands were executed and the load was permanently installed.
