Hackers are using Telegram to target crypto firms

An illustration of Bitcoin with a financial value graph
(Image credit: eToro)

VIP customers of cryptocurrency exchanges, particularly cryptocurrency investment companies, have become targets of a highly sophisticated phishing attack, Microsoft is warning. 

In a recent report, Microsoft said it observed an unknown threat actor, labeled as DEV-0139, moving into Telegram groups “used to facilitate communication between VIP clients and cryptocurrency exchange platforms”.

After identifying potential victims, the group would then approach these users, assuming the identity of a peer - another cryptocurrency investment company - and ask for feedback on the fee structure different cryptocurrency exchange platforms use. One such incident was observed on October 19 2022.

Attackers in the know

According to Microsoft, the group has a “broader knowledge” of this part of the industry, suggesting that the fee structure it shared with the victims is probably accurate. The structure itself was presented in a Microsoft Excel file, and that’s when the real trouble starts.

The file, titled “OKX Binance & Huobi VIP fee comparision.xls”, is protected with a “password dragon” meaning the victim needs to enable macros in order to view the contents. 

Enabling macros also enables a whole load of trouble: the file has a second, embedded spreadsheet, which downloads and parses a PNG file, which extracts a malicious DLL, an XOR-encoded backdoor, and a clean Windows executable file that would later be used to sideload the malicious DLL. 

After all is said and done, the attackers end up with remote access to the target’s endpoint.

While Microsoft does not link this group with any known threat actor and keeps the label DEV-0139 (the DEV label is usually used for threat actors not yet linked to any known groups), a separate report from threat intelligence experts Volexity claims this is, in fact, Lazarus Group, an infamous North Korean state-sponsored threat actor, BleepingComputer has found.

Apparently, Lazarus used the cryptocurrency fee comparison spreadsheet in the past, to infect its targets with the AppleJeus malware.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.