VIP clients of cryptocurrency exchanges, especially cryptocurrency investment firms, have become the target of a highly sophisticated phishing attack, Microsoft warns.
In a recent report (opens in a new tab), Microsoft said it observed an unknown malicious actor, labeled DEV-0139, moving around in Telegram groups "used to facilitate communication between VIP customers and cryptocurrency exchanges on social networks".
After identifying potential victims, the group would approach those users, assuming the identity of a peer, another cryptocurrency investment firm, and seek feedback on the fee structure used by the various cryptocurrency exchanges. One such incident was observed on October 19, 2022.
According to Microsoft, the group has a "broader understanding" of this part of the industry, suggesting that the pricing structure it shared with victims is likely accurate. The structure itself was presented in a Microsoft Excel file, and that's where the real trouble begins.
The file, titled “OKX Binance & Huobi VIP fee comparision.xls”, is protected with a “password dragon”, which means that the victim must enable macros to view the content.
Enabling macros also creates a host of problems: the file contains a second embedded spreadsheet, which downloads and parses a PNG file, which extracts a malicious DLL, an XOR-encoded backdoor, and a clean Windows executable file that would be used later. . to load the malicious DLL.
After all, the attackers end up with remote access to the target endpoint (opens in a new tab).
While Microsoft does not link this group to any known threat actors and retains the DEV-0139 tag (the DEV tag is typically used for threat actors not already linked to known groups), a separate report from intelligence experts threat actor Volexity claims that it is, in fact, the Lazarus Group, an infamous North Korean state-sponsored threat actor, has discovered BleepingComputer.
Lazarus has apparently used the cryptocurrency fee comparison spreadsheet in the past to infect its targets with the AppleJeus malware.
Via: BleepingComputer (Opens in a new tab)