- DEV-0139 has targeted cryptocurrency investment firms.
- “OKX Binance & Huobi VIP fee comparision.xls,” which is a malicious Excel file was being used.
- The group is responsible for other assaults that use the same method to push unique payloads.
According to Microsoft, the threat organization DEV-0139 has targeted cryptocurrency investment firms. The businesses’ VIP clients reportedly communicated with each other using Telegram groups.
Read CRYPTONEWSLAND on
google news
Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies.
company’s Security Threat Intelligence team
The team added:
DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members.
Attackers with extensive knowledge of the cryptocurrency investment sector welcomed at least one victim to another Telegram channel. This happened on October 19 by impersonating officials of other crypto asset management companies. Here, they requested comments on the fee structures of cryptocurrency exchange sites.
Once they had their targets’ confidence, the threat actors gave them “OKX Binance & Huobi VIP fee comparision.xls.” This is allegedly a malicious Excel file. The spreadsheets contained data comparisons comparing the VIP fee structures of several cryptocurrency exchange businesses. Additionally, this was probably accurate to improve credibility.
A second worksheet would download onto the victim’s computer after they open the file and activate macros. The malicious DLL will then be extracted by parsing a PNG file. This is an XOR-encoded backdoor that was later sideloaded by a legitimate Windows application.
The attackers will have remote access to the victim’s infected PC thanks to this DLL’s ability to decode and load the backdoor.
The main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros, Microsoft explained.
As part of this campaign, DEV-0139 also sent a second payload, an MSI package for the CryptoDashboardV2 application. This implies that they are also responsible for other assaults that use the same method to push unique payloads.
Recommended News :
disclaimer read moreCrypto News Land (cryptonewsland.com) , also abbreviated as “CNL”, is an independent media entity — we are not affiliated with any company in the blockchain and cryptocurrency industry. We aim to provide fresh and relevant content that will help build up the crypto space since we believe in its potential to impact the world for the better. All of our news sources are credible and accurate as we know it, although we do not make any warranty as to the validity of their statements as well as their motive behind it. While we make sure to double-check the veracity of information from our sources, we do not make any assurances as to the timeliness and completeness of any information in our website as provided by our sources. Moreover, we disclaim any information on our website as investment or financial advice. We encourage all visitors to do your own research and consult with an expert in the relevant subject before making any investment or trading decision.
