North Korea using AppleJeus to steal crypto again
The attack technique used by DEV-0139 has been publicly known for a long time
Microsoft has reported that a party dubbed DEV-0139 has been identified to be actively involved in targeting crypto investment startups. DEV-0139 poses as a crypto investment company on Telegram and uses a well-crafted malware-infected Excel file to infect systems, gaining remote access to them.
The threat is carried out with a high level of sophistication, as is the trend with these types of attacks. DEV-0139 works by falsely identifying itself with fake profiles of OKX employees and joining groups on Telegram “used to facilitate communication between VIP clients and cryptocurrency exchange platforms.”
“We are […] seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” wrote Microsoft.
A target was invited to a new group in October to provide feedback on an Excel document comparing the VIP fee structures of Binance, OKX, and Huobi. The document looked legit at first, providing accurate information, and it also showed that the writer had high awareness of the ins and outs of crypto trading, but it also contained a malicious .dll (Dynamic Link Library) file that was sideloaded into the computer to create a backdoor into the system. The attacker would then ask the target to open the .dll file during their discussion.