Hackers are using Telegram to target crypto firms

By Scott Marlette Last updated Dec 8, 2022

VIP customers of cryptocurrency exchanges, particularly cryptocurrency investment companies, have become targets of a highly sophisticated phishing attack, Microsoft is warning.

In a recent report (opens in new tab), Microsoft said it observed an unknown threat actor, labeled as DEV-0139, moving into Telegram groups “used to facilitate communication between VIP clients and cryptocurrency exchange platforms”.

After identifying potential victims, the group would then approach these users, assuming the identity of a peer – another cryptocurrency investment company – and ask for feedback on the fee structure different cryptocurrency exchange platforms use. One such incident was observed on October 19 2022.

Attackers in the know

According to Microsoft, the group has a “broader knowledge” of this part of the industry, suggesting that the fee structure it shared with the victims is probably accurate. The structure itself was presented in a Microsoft Excel file, and that’s when the real trouble starts.

The file, titled “OKX Binance & Huobi VIP fee comparision.xls”, is protected with a “password dragon” meaning the victim needs to enable macros in order to view the contents.

Enabling macros also enables a whole load of trouble: the file has a second, embedded spreadsheet, which downloads and parses a PNG file, which extracts a malicious DLL, an XOR-encoded backdoor, and a clean Windows executable file that would later be used to sideload the malicious DLL.

After all is said and done, the attackers end up with remote access to the target’s endpoint (opens in new tab).

While Microsoft does not link this group with any known threat actor and keeps the label DEV-0139 (the DEV label is usually used for threat actors not yet linked to any known groups), a separate report from threat intelligence experts Volexity claims this is, in fact, Lazarus Group, an infamous North Korean state-sponsored threat actor, BleepingComputer has found.

Apparently, Lazarus used the cryptocurrency fee comparison spreadsheet in the past, to infect its targets with the AppleJeus malware.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.