The security division of Microsoft, in a Саопштење yesterday, December 6, uncovered an attack targeting cryptocurrency startups. They gained trust through Telegram chat and sent an Excel titled “OKX Binance and Huobi VIP fee comparison.xls,” which contained malicious code that could remotely access the victim’s system.
The Security threat intelligence team has tracked the threat actor as DEV-0139. The hacker was able to infiltrate chat groups on Telegram, the messaging app, masquerading as representatives of a crypto investment company and pretending to discuss trading fees with VIP clients of major exchanges.
The goal was to trick crypto investment funds into downloading an Excel file. This file contains accurate information about the fee structures of major cryptocurrency exchanges. On the other hand, it has a malicious macro that runs another Excel sheet in the background. With this, this bad actor gains remote access to the victim’s infected system.
Microsoft explained, “The main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros.” They added, “The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.”
According to reports, in August, the цриптоцурренци mining malware campaign infected more than 111,000 users.
Threat intelligence connects DEV-0139 to the North Korean Lazarus threat group.
Along with the malicious macro Excel file, DEV-0139 also delivered a payload as part of this trickery. This an MSI package for a CryptoDashboardV2 app, that pays out the same obtrusion. This had made several intelligence suggest that they’re also behind other attacks using the same technique to push custom payloads.
Before the recent discovery of DEV-0139, there had been other similar phishing attacks that some threat intelligence teams suggested might be the workings of DEV-0139.
The threat intelligence company Volexity also released its findings about this attack over the weekend, linking it to the North Korean Lazarus threat group.
According to Volexity, the North Korean хакери use similar malicious crypto-exchange fee comparison spreadsheets to drop the AppleJeus malware. This is what they have used in cryptocurrency hijacking and digital asset theft operations.
Volexity has also uncovered Lazarus using a website clone for the HaasOnline automated crypto trading platform. They distribute a trojanized Bloxholder app that would instead deploy AppleJeus malware bundled within the QTBitcoinTrader app.
Лазарус група је група за сајбер претње која делује у Северној Кореји. Активан је око 2009. године. Познат је по нападима на мете високог профила широм света, укључујући банке, медијске организације и владине агенције.
The group is also suspected to be responsible for the 2014 Sony Pictures hack and the WannaCry ransomware attack of 2017.
Source: https://crypto.news/microsoft-exposes-north-korea-related-hacker-targeting-crypto-startups/