VIP customers of cryptocurrency exchanges, particularly cryptocurrency investment companies, have become targets of a highly sophisticated phishing attack, Microsoft is warning.
In a recent report, Microsoft said it observed an unknown threat actor, labeled as DEV-0139, moving into Telegram groups “used to facilitate communication between VIP clients and cryptocurrency exchange platforms”.
After identifying potential victims, the group would then approach these users, assuming the identity of a peer – another cryptocurrency investment company – and ask for feedback on the fee structure different cryptocurrency exchange platforms use. One such incident was observed on October 19 2022.
Attackers in the know
According to Microsoft, the group has a “broader knowledge” of this part of the industry, suggesting that the fee structure it shared with the victims is probably accurate. The structure itself was presented in a Microsoft Excel file, and that’s when the real trouble starts.
The file, titled “OKX Binance & Huobi VIP fee comparision.xls”, is protected with a “password dragon” meaning the victim needs to enable macros in order to view the contents.
Enabling macros also enables a whole load of trouble: the file has a second, embedded spreadsheet, which downloads and parses a PNG file, which extracts a malicious DLL, an XOR-encoded backdoor, and a clean Windows executable file that would later be used to sideload the malicious DLL.
After all is said and done, the attackers end up with remote access to the target’s endpoint.
While Microsoft does not link this group with any known threat actor and keeps the label DEV-0139 (the DEV label is usually used for threat actors not yet linked to any known groups), a separate report from threat intelligence experts Volexity claims this is, in fact, Lazarus Group, an infamous North Korean state-sponsored threat actor, BleepingComputer has found.
Apparently, Lazarus used the cryptocurrency fee comparison spreadsheet in the past, to infect its targets with the AppleJeus malware.
Here’s our list of the best security suites right now