VIP clients of cryptocurrency exchanges, especially cryptocurrency investment companies, have been targeted by a highly sophisticated phishing attack, Microsoft warns.
In last report (opens in a new tab)Microsoft said it observed an unknown cybercriminal, designated DEV-0139, moving into Telegram groups “used to facilitate communication between VIP customers and cryptocurrency exchange platforms.”
After identifying potential victims, the group then approached these users, assuming the identity of a partner – another company investing in cryptocurrencies – and asked for feedback on the fee structure that various cryptocurrency exchange platforms use. One such incident was observed on October 19, 2022.
Known attackers
According to Microsoft, the group has a “wider knowledge” of this part of the industry, suggesting that the fee structure it shared with victims is likely accurate. The structure itself is presented in a Microsoft Excel file, and that’s where the real trouble begins.
The file titled “OKX Binance & Huobi VIP fee comparision.xls” is protected with a “dragon password”, which means that the victim must enable macros to view the contents.
Enabling macros also causes a lot of problems: the file has a second, embedded spreadsheet that downloads and parses a PNG file that extracts a malicious DLL, an XOR-encoded backdoor, and a clean Windows executable that will later be used to sideload the malicious DLL.
After all is said and done, the attackers gain remote access to the target’s endpoint (opens in a new tab).
While Microsoft does not associate this group with any known threat actors and retains the DEV-0139 label (the DEV label is typically used for threat actors that are not yet associated with any known threat actors), a separate report by security experts Threat intelligence expert Volexity claims it is: in fact, BleepingComputer uncovered the Lazarus Group, an infamous North Korean state-sponsored crime group.
Apparently, Lazarus has used a spreadsheet to compare cryptocurrency fees in the past to infect its targets with the AppleJeus malware.
By: Beeping Computer (opens in a new tab)