- An investigation by the Microsoft Security Threat Intelligence team found that different cryptocurrency investment companies have been attacked through Telegram groups.
- The threat, known as DEV-0139, communicated with the firms’ VIP clients, then sent them a malicious file and took control of their devices.
- According to threat intelligence company Volexity, the attacks have been linked to the North Korean threat group Lazarus.
Within the field of instant messaging platforms, WhatsApp and WeChat are the great dominators. Another giant appears further back, this is the case of Telegram. This, as commented on other occasions, is widely used within the cryptocurrency ecosystem due to its possibility of assembling large groups or creating bots. Telegram is used for good and… for bad.
An investigation by the Microsoft Security Threat Intelligence team found that different cryptocurrency investment companies have been attacked through Telegram groups.
DEV-0139 attack
The threat, known as DEV-0139, communicated with the firms’ VIP clients, the site published. Bleeding Computer.
“DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchanges and identified its target among the members“, highlighted the specialized team of Microsoft.
The registered attack was last Wednesday, October 19, and the hackers, posing as representatives of other cryptocurrency management companies, managed to get a person to comment on “the fee structure of cryptocurrency exchange platforms.”
After several exchanges of messages and gaining the trust of the later victim, the hackers sent Excel spreadsheets called “OKX Binance & Huobi VIP fee comparison.xls”. They had data comparisons from three of the world’s largest exchanges.
Once the victim accessed the document, the hackers achieved what they were looking for: they downloaded a second spreadsheet and parsed a PNG file for “eExtract a malicious DLL, an XOR-encoded backdoor, and a legitimate Windows executable later used to load the DLL”. According to experts, “the DLL will be cracked and will load the backdoor, giving attackers remote access to the victim’s compromised system.”.
Microsoft, for its part, also gave some explanations about this recent case.
“The main sheet of the Excel file is protected with the password dragon to encourage the target to activate the macros. The sheet is then checked out after installing and running the other Excel file stored in Base64. This is likely to be used to trick the user into enabling macros and not arouse suspicion.yes”, they acknowledged.
Who is behind this subtle and clever attacker? Microsoft did not specify this, although the threat intelligence company Volexity has, which also worked on this point. They find relationship with the North Korean threat group Lazarus
These North Korean hackers, who have been operating since at least 2009, are responsible for high-profile attacks such as the Sony Pictures hack in 2014 and the WannaCry ransomware case in 2017. Their attacks target high-profile companies or governments. profile and do not focus on particular individuals.
Volexity supports their idea that Lazarus is responsible because they claim that the method used is related to the one used by the group in the step: the AppleJeus malware also used a malicious spreadsheet.
You might be interested in: