- Microsoft unveils attack targetting cryptocurrency firms.
- The attackers used an excel sheet to infect the victim’s system.
- This attack was linked to North Korea’s Lazarus Group.
Microsoft’s security team has uncovered an attack in which a malicious actor targeted several cryptocurrency investment firms. The attacker, identified as DEV-013, infiltrated Telegram channels by pretending to work for a cryptocurrency investment firm. The bad actors pretended to connect with VIP clients of major exchanges to discuss trading fees.
“DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members,” Microsoft added.
The attacker’s plan was to get cryptocurrency investment money to download an Excel spreadsheet named “OKX Binance & Huobi VIP fee comparision.xls.” The document accurately details the fees charged by various cryptocurrency exchanges; however, it also contains a malicious macro that secretly launches another copy of Excel in invisible mode.
When the victim opens the file and turns on macros, a second worksheet in the document downloads and parses a PNG file, from which it extracts a malicious DLL, an XOR-encoded backdoor, and a simple Windows executable that is then used to sideload the DLL. This dynamic link library (DLL) decodes and loads the backdoor, thereby granting the attackers remote access to the victim’s infected system.
Meanwhile, Volexity, a threat intelligence firm, also presented its own findings on the incident, attributing it to the infamous North Korean hacker outfit Lazarus. As reported by Volexity, the malicious crypto-exchange fee comparison spreadsheet was utilized by the North Korean hackers to distribute the AppleJeus malware Lazarus has previously employed in cryptocurrency hijacking and digital asset thefts.
Furthermore, Volexity also discovered that Lazarus was distributing a trojan-infected version of the BloxHolder program, which was used to spread AppleJeus malware within the QTBitcoinTrader app by means of a website clone for the HaasOnline automated cryptocurrency trading platform.
Microsoft also stated that it has spoken with affected users and provided them with the resources they need to safeguard their accounts following these attacks.
As reported by CoinEdition, Japan’s National Police Agency (NPA) and Financial Services Agency (FSA) previously released a public advisory statement alerting crypto-asset businesses to be on the watch for “phishing” assaults from the Lazarus group.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
