Microsoft warns that high-value customers of cryptocurrency exchanges, especially cryptocurrency investment companies, have become targets of a highly sophisticated phishing attack.
in a recent report (Opens in a new tab)Microsoft said it noticed an unknown threat, codenamed DEV-0139, migrating to Telegram groups “used to facilitate communication between VIP customers and cryptocurrency exchanges.”
After identifying potential victims, the group will then contact these users, assuming the identity of a peer – another cryptocurrency investment firm – and solicit feedback on the fee structure used by various cryptocurrency exchanges. One such occurrence was observed on October 19, 2022.
The attackers are aware
According to Microsoft, the group has “broader knowledge” of this part of the industry, which indicates that the fee structure it shares with victims may be accurate. The structure itself was presented in a Microsoft Excel file, and that’s where the real trouble begins.
The file, named “OKX Binance & Huobi VIP charge.xls”, is protected with “password dragon” which means the victim needs to enable macros to view the contents.
Enabling macros also enables a whole load of hassle: the file contains a second spreadsheet embedded, which downloads and parses the PNG file, which extracts the malicious DLL, an XOR-encoded backdoor, and a clean Windows executable that will later be used to load the malicious DLL .
After all is said and done, the attackers end up with remote access to the target’s endpoint (Opens in a new tab).
While Microsoft does not associate this group with any known threat actor and maintains the label DEV-0139 (the DEV label is typically used for threat actors not yet associated with any known groups), a separate report from threat intelligence experts Volexity claims that this is, in fact, found by Lazarus Group, an actor North Korea’s notorious state-sponsored threat, Bleeping Computer.
Apparently, Lazarus has used a cryptocurrency fee comparison spreadsheet in the past to infect its targets with the AppleJeus malware.
Via: BleepingComputer (Opens in a new tab)