Microsoft: Hackers Target Crypto Firms Over Telegram

DEV-0139 has targeted cryptocurrency investment firms.
“OKX Binance & Huobi VIP fee comparision.xls,” which is a malicious Excel file was being used.
The group is responsible for other assaults that use the same method to push unique payloads.

According to Microsoft, the threat organization DEV-0139 has targeted cryptocurrency investment firms. The businesses’ VIP clients reportedly communicated with each other using Telegram groups.

Read CRYPTONEWSLAND on

google news

Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies.
company’s Security Threat Intelligence team

The team added:

DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members.

Attackers with extensive knowledge of the cryptocurrency investment sector welcomed at least one victim to another Telegram channel. This happened on October 19 by impersonating officials of other crypto asset management companies. Here, they requested comments on the fee structures of cryptocurrency exchange sites.

Once they had their targets’ confidence, the threat actors gave them “OKX Binance & Huobi VIP fee comparision.xls.” This is allegedly a malicious Excel file. The spreadsheets contained data comparisons comparing the VIP fee structures of several cryptocurrency exchange businesses. Additionally, this was probably accurate to improve credibility.

A second worksheet would download onto the victim’s computer after they open the file and activate macros. The malicious DLL will then be extracted by parsing a PNG file. This is an XOR-encoded backdoor that was later sideloaded by a legitimate Windows application.

The attackers will have remote access to the victim’s infected PC thanks to this DLL’s ability to decode and load the backdoor.

The main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros, Microsoft explained.

As part of this campaign, DEV-0139 also sent a second payload, an MSI package for the CryptoDashboardV2 application. This implies that they are also responsible for other assaults that use the same method to push unique payloads.

Recommended News :

Godfrey Mwirigi

Godfrey Mwirigi is an enthusiastic crypto writer with an interest in Bitcoin, blockchain, and technical analysis. With a focus on daily market analysis, his research helps traders and investors alike. His particular interest in digital wallets and blockchain aids his audience in their day-to-day endeavors.