Hackers target crypto firms over Telegram
Hackers are increasingly targeting crypto firms over Telegram, according to cybersecurity experts. The messaging platform has become a popular way for hackers to communicate with targets and spread malicious software that can steal funds from users’ accounts.
Crypto firms are the top targets of hackers. This is because they often have large amounts of cryptocurrency in their possession. In order to steal these funds, hackers often use a variety of methods, including phishing scams and social engineering attacks. Recently, there has been an increase in the number of attacks on crypto firms over Telegram.
Microsoft says that cryptocurrency investment companies have been targeted by a threat group it tracks as DEV-0139 via Telegram groups used to communicate with the firms’ VIP customers.
“Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies,” the company’s Security Threat Intelligence team revealed.
“DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members.”
On October 19, attackers with broad knowledge of the crypto investment industry invited at least one target (posing as representatives of other crypto asset management firms) to another Telegram group, where they asked for feedback on cryptocurrency exchange platforms’ fee structure.
After gaining their targets’ trust, the threat actors sent them malicious Excel spreadsheets named “OKX Binance & Huobi VIP fee comparision.xls” with a data comparison (likely accurate to increase credibility) between the VIP fee structures of crypto exchange companies.
Once the victim opens the document and enables macros, a second worksheet embedded in the file will download and parse a PNG file to extract a malicious DLL, an XOR-encoded backdoor, and a legitimate Windows executable later used to sideload the DLL.
This DLL will decrypt and load the backdoor, providing the attackers with remote access to the victim’s compromised system.
“The main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros,” Microsoft explained.
“The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.”
DEV-0139 has also delivered a second payload as part of this campaign, an MSI package for a CryptoDashboardV2 app, suggesting that they’re also behind other attacks using the same technique to push custom payloads.
While Microsoft has not attributed this attack to a specific group and instead chose to link it to the DEV-0139 cluster of threat activity, threat intelligence firm Volexity has also published its own findings on this attack over the weekend, connecting it to the North Korean Lazarus threat group.
According to Volexity, the North Korean hackers used the malicious crypto-exchange fee comparison spreadsheet to drop the AppleJeus malware Lazarus has previously used in cryptocurrency hijacking and digital asset theft operations.
Volexity also observed Lazarus using a website clone for the HaasOnline automated cryptocurrency trading platform to distribute a trojanized BloxHolder app which would instead deploy AppleJeus malware bundled within the QTBitcoinTrader app.
Microsoft says it notified customers who have been compromised or targeted in these attacks and shared the information needed to secure their accounts.
The Lazarus Group is a hacking group operating out of North Korea that has been active for over a decade, since at least 2009.
Its operatives are known for attacks on high-profile targets worldwide, including banks, media organizations, and government agencies.
The group is thought to be responsible for high-profile cyber attacks, including the 2014 Sony Pictures hack and the WannaCry ransomware attack of 2017.
Recover Money From A Telegram Scam
Mobile hacker for hire is the best way to recover your money from a telegram scam. We are a team of experts who have been working in the field of cyber security for several years now. Our experts are well-versed with all kinds of hacking techniques and can easily track down the hackers who stole your money from telegram and other social media platforms.
Most people who have been scammed by telegram investment bots don’t know where to turn for help. They often fall victim to scams because they don’t understand that it is possible to get their money back from these bots. But with our help, you can recover your money back from Telegram investment bots using our proprietary tools.