Hackers are using Telegram to target crypto firms
Crypto exchange VIP customers targeted
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
VIP customers of cryptocurrency exchanges, particularly cryptocurrency investment companies, have become targets of a highly sophisticated phishing attack,Microsoftis warning.
In arecent report, Microsoft said it observed an unknown threat actor, labeled as DEV-0139, moving into Telegram groups “used to facilitate communication between VIP clients and cryptocurrency exchange platforms”.
After identifying potential victims, the group would then approach these users, assuming the identity of a peer - another cryptocurrency investment company - and ask for feedback on the fee structure different cryptocurrency exchange platforms use. One such incident was observed on October 19 2022.
Attackers in the know
According to Microsoft, the group has a “broader knowledge” of this part of the industry, suggesting that the fee structure it shared with the victims is probably accurate. The structure itself was presented in a Microsoft Excel file, and that’s when the real trouble starts.
The file, titled “OKX Binance & Huobi VIP fee comparision.xls”, is protected with a “password dragon” meaning the victim needs to enable macros in order to view the contents.
North Korean hackers return with updated version of this dangerous malware>Open source software hijacked by North Korean hackers>These are the best firewalls around
Enabling macros also enables a whole load of trouble: the file has a second, embedded spreadsheet, which downloads and parses a PNG file, which extracts a malicious DLL, an XOR-encoded backdoor, and a clean Windows executable file that would later be used to sideload the malicious DLL.
After all is said and done, the attackers end up with remote access to the target’sendpoint.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While Microsoft does not link this group with any known threat actor and keeps the label DEV-0139 (the DEV label is usually used for threat actors not yet linked to any known groups), a separate report from threat intelligence experts Volexity claims this is, in fact, Lazarus Group, an infamous North Korean state-sponsored threat actor, BleepingComputer has found.
Apparently, Lazarus used the cryptocurrency fee comparison spreadsheet in the past, to infect its targets with the AppleJeus malware.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time
