India's Top 100 Digital Stars 2023

North Korea using AppleJeus to steal crypto again

The attack technique used by DEV-0139 has been publicly known for a long time

Shashank Bhardwaj
Published: Dec 7, 2022 07:11:29 PM IST

North Korea using AppleJeus to steal crypto againImage: Silas Stein/picture alliance via Getty Images

Microsoft has reported that a party dubbed DEV-0139 has been identified to be actively involved in targeting crypto investment startups. DEV-0139 poses as a crypto investment company on Telegram and uses a well-crafted malware-infected Excel file to infect systems, gaining remote access to them.

The threat is carried out with a high level of sophistication, as is the trend with these types of attacks. DEV-0139 works by falsely identifying itself with fake profiles of OKX employees and joining groups on Telegram “used to facilitate communication between VIP clients and cryptocurrency exchange platforms.”

“We are […] seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” wrote Microsoft.

A target was invited to a new group in October to provide feedback on an Excel document comparing the VIP fee structures of Binance, OKX, and Huobi. The document looked legit at first, providing accurate information, and it also showed that the writer had high awareness of the ins and outs of crypto trading, but it also contained a malicious .dll (Dynamic Link Library) file that was sideloaded into the computer to create a backdoor into the system. The attacker would then ask the target to open the .dll file during their discussion.

The attack technique demonstrated above has been known for a long time. Microsoft said that the attacker is the same as the previous one that was found using the same method of attack using .dll files for similar purposes back in June, and it has probably been behind other attacks as well.

Microsoft believes that DEV-0139 is the same actor that was linked to North Korea’s state-sponsored Lazarus Group by the cybersecurity firm Volexity, using a version of the malware called AppleJeus and a Microsoft Installer (MSI).

AppleJeus was reported by Kaspersky Labs in 2020, while the US Federal Cybersecurity and Infrastructure Security Agency documented it in 2021.

The writer is the founder at yMedia. He ventured into crypto in 2013 and is an ETH maximalist. Twitter: @bhardwajshash

Post Your Comment
Required, will not be published
All comments are moderated
LGND partners with Polygon and Warner Music to build LGND Music
Einride raises $500 mln to boost electric freight ecosystem; Blume Ventures raises $250 mln fund