Microsoft Warns a New Group of Threat Actors Is After Cryptocurrency Companies
DEV-0139 Hunts Potential Victims on Telegram Groups.
Microsoft cautions cryptocurrency investment companies that a new threat cluster is wandering on Telegram groups searching for potential victims.
DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members
Further on, the malicious actor impersonated a cryptocurrency investment company and asked the victim to join another Telegram group. The supposed reason was they wanted feedback on the trading fee structure that exchange platforms used on VIP levels.
The attackers really did their homework on the subject and Microsoft researchers highlighted their level of knowledge on the challenges cryptocurrency companies face nowadays.
The Malicious Excel Files
Once again cybercriminals used social engineering techniques and as soon as they got the victim’s trust, they sent them a malicious Excel spreadsheet. The OKX Binance & Huobi VIP fee comparision.xls document contained a data comparison between the VIP fee structures that looked real enough not to raise any suspicions.
As the unsuspecting victims opened the document, they were further tricked into enabling macros. Subsequently, another worksheet that was embedded in the original file was downloaded.
„A second worksheet embedded in the file will download and parse a PNG file to extract a malicious DLL, an XOR-encoded backdoor, and a legitimate Windows executable later used to sideload the DLL.”, according to cyber researchers
The DLL then decrypted and loaded the backdoor that the attackers needed for remote access to exploit the compromised system.
To better understand the way the cyber attack worked, see below a graphic prepared by Microsoft’s Security Threat Intelligence team:
According to Microsoft, customers who were targeted or compromised by this series of attacks have been notified and instructed in order to secure their accounts.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.