Microsoft: Hackers target cryptocurrency firms over Telegram

Microsoft says that cryptocurrency funding corporations have been focused by a risk group it tracks as DEV-0139 through Telegram teams used to speak with the companies’ VIP prospects.

“Microsoft lately investigated an assault the place the risk actor, tracked as DEV-0139, took benefit of Telegram discussion groups to focus on cryptocurrency funding corporations,” the corporate’s Safety Risk Intelligence staff revealed.

“DEV-0139 joined Telegram teams used to facilitate communication between VIP purchasers and cryptocurrency trade platforms and recognized their goal from among the many members.”

On October 19, attackers with broad data of the crypto funding business invited a minimum of one goal (posing as representatives of different crypto asset administration companies) to a different Telegram group, the place they requested for suggestions on cryptocurrency trade platforms’ payment construction.

After gaining their targets’ belief, the risk actors despatched them malicious Excel spreadsheets named “OKX Binance & Huobi VIP payment comparision.xls” with an information comparability (doubtless correct to extend credibility) between the VIP payment buildings of crypto trade corporations.

​As soon as the sufferer opens the doc and allows macros, a second worksheet embedded within the file will obtain and parse a PNG file to extract a malicious DLL, an XOR-encoded backdoor, and a professional Home windows executable later used to sideload the DLL.

This DLL will decrypt and cargo the backdoor, offering the attackers with distant entry to the sufferer’s compromised system.

“The primary sheet within the Excel file is protected with the password dragon to encourage the goal to allow the macros,” Microsoft defined. 

“The sheet is then unprotected after putting in and working the opposite Excel file saved in Base64. That is doubtless used to trick the consumer to allow macros and never increase suspicion.”

DEV-0139 has additionally delivered a second payload as a part of this marketing campaign, an MSI package deal for a CryptoDashboardV2 app, suggesting that they are additionally behind different assaults utilizing the identical method to push customized payloads.

​Whereas Microsoft has not attributed this assault to a selected group and as an alternative selected to hyperlink it to the DEV-0139 cluster of risk exercise, risk intelligence agency Volexity has additionally revealed its personal findings on this assault over the weekend, connecting it to the North Korean Lazarus risk group.

In response to Volexity, the North Korean hackers used the malicious crypto-exchange payment comparability spreadsheet to drop the AppleJeus malware Lazarus has beforehand utilized in cryptocurrency hijacking and digital asset theft operations.

Volexity additionally noticed Lazarus utilizing a web site clone for the HaasOnline automated cryptocurrency buying and selling platform to distribute a trojanized BloxHolder app which might as an alternative deploy AppleJeus malware bundled throughout the QTBitcoinTrader app.

Microsoft says it notified prospects who’ve been compromised or focused in these assaults and shared the data wanted to safe their accounts.

The Lazarus Group is a hacking group working out of North Korea that has been energetic for over a decade, since a minimum of 2009.

Its operatives are identified for assaults on high-profile targets worldwide, together with banks, media organizations, and authorities companies.

The group is considered accountable for high-profile cyber assaults, together with the 2014 Sony Photos hack and the WannaCry ransomware assault of 2017.