Image: Silas Stein/picture alliance via Getty Images
Microsoft has reported that a party dubbed DEV-0139 has been identified to be actively involved in targeting crypto investment startups. DEV-0139 poses as a crypto investment company on Telegram and uses a well-crafted malware-infected Excel file to infect systems, gaining remote access to them.
The threat is carried out with a high level of sophistication, as is the trend with these types of attacks. DEV-0139 works by falsely identifying itself with fake profiles of OKX employees and joining groups on Telegram “used to facilitate communication between VIP clients and cryptocurrency exchange platforms.”
“We are […] seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” wrote Microsoft.
A target was invited to a new group in October to provide feedback on an Excel document comparing the VIP fee structures of Binance, OKX, and Huobi. The document looked legit at first, providing accurate information, and it also showed that the writer had high awareness of the ins and outs of crypto trading, but it also contained a malicious .dll (Dynamic Link Library) file that was sideloaded into the computer to create a backdoor into the system. The attacker would then ask the target to open the .dll file during their discussion.
The attack technique demonstrated above has been known for a long time. Microsoft said that the attacker is the same as the previous one that was found using the same method of attack using .dll files for similar purposes back in June, and it has probably been behind other attacks as well.
Microsoft believes that DEV-0139 is the same actor that was linked to North Korea’s state-sponsored Lazarus Group by the cybersecurity firm Volexity, using a version of the malware called AppleJeus and a Microsoft Installer (MSI).
AppleJeus was reported by Kaspersky Labs in 2020, while the US Federal Cybersecurity and Infrastructure Security Agency documented it in 2021.
The writer is the founder at yMedia. He ventured into crypto in 2013 and is an ETH maximalist. Twitter: @bhardwajshash