Microsoft uncovered an attack targeting crypto startups
- Startups of cryptocurrency investment funds are now being attacked by malicious attackers, claims a recent Microsoft report.
- One of the most well-known organisations using data theft to their obvious benefit was the notorious North Korean group Lazarus.
Microsoft claims that a threat group it monitors as DEV-0139 has intended to target cryptocurrency investment companies through Telegram channels used to connect with their VIP clients.
Microsoft’s security segment discovered an invasion yesterday, December 6, that was aimed at cryptocurrency startup companies, according to a press release. Through Telegram chat, they gained trust and sent an Excel document with the subject “OKX Binance and Huobi VIP fee comparison.xls” that was laced with malicious software code which allowed them to quickly monitor the victim’s computer.
The second worksheet will download and decode a PNG file to retrieve a malicious DLL, an XOR-encoded backdoor, and a genuine Windows compiled code that will subsequently be employed to sideload DLL once the person tries to open the document and facilitates macros.
The tech giant identified a shield to the mass adoption of cryptocurrencies as the ubiquitousness of these kinds of vulnerabilities, which are generally caused by ransomware. Microsoft considers the following factor to be even more worrisome: hackers are improving at their particular forms of deception.
Threat intelligence company Volexity also posted its very own observations on this invasion over the weekend, linking it to the North Korean Lazarus threat group, despite the fact that Microsoft has not specifically linked this attack to a particular group or an organisation and instead opted to connect it to the DEV-0139 grouping of threat operation.
Lazarus from North Korea is well-known for being the brains behind several current crypto hacks that have shaken the web3 space. Japan’s National Police Agency (NPA) and Financial Services Agency (FSA) issued a warning to cryptocurrency firms in their most recent public advisory statement, advising them to be on the lookout for “phishing” attacks by the Lazarus Group.
As piece of this fraud, DEV-0139 also handed a payload in addition to the nefarious macro Excel file. This MSI package instals the very same obtrusion as the CryptoDashboardV2 app. This led numerous intelligence agencies to speculate that they may also be responsible for other threats that employed the same method to push unique payloads.
Before DEV-0139 was recently discovered, there had been other, comparable malware attacks which some threat intelligence teams had hypothesised might have been DEV-0139 in action.
Ironically, Telegram is making every effort to establish a strong presence in the web 4 space, despite the fact that crypto fraudsters frequently use Telegram bots to deceive users and direct them to harmful websites.
The founder of the messaging app Telegram, Pavel Durov, revealed plans for the launch of decentralised cryptocurrency products at the company last week, including a crypto exchange and non-custodial wallets.