Microsoft: Telegram hackers attack cryptocurrency companies

Microsoft claims that crypto-investment companies were targeted by a threat organization it tracks, DEV-0139 via Telegram. The groups communicated with VIP clients of the firms using Telegram.

Microsoft has recently conducted an investigation into an attack in which a threat actor (tracked as DEV-0139) used Telegram chat groups for cryptocurrency investment firms,” said the Security Threat Intelligence Team .

“DEV-0139” joined Telegram groups to facilitate communication among VIP clients and cryptocurrency exchange platform platforms. They identified their target through the Telegram members.

At least one attacker posing as representatives from other crypto asset managers invited a Telegram group to discuss the fee structure of cryptocurrency exchange platforms.

The threat actors gained the trust of their targets and sent malicious Excel spreadsheets titled “OKX Binance. Huobi VIP Fee Comparision.xls”. These data comparisons (likely to improve credibility) were made between VIP fees structures at crypto exchange companies.

Malicious Excel sheet (BleepingComputer)

After the victim has opened the document, he/she will enable macros. A second worksheet is embedded in the file. It downloads and parses a PNG to extract a malicious, XOR-encoded, backdoor and a genuine Windows executable to later sideload that DLL.

The DLL decrypts and loads the backdoor to give attackers remote access.

Microsoft explained that the password dragon protects the main Excel sheet to encourage users to activate macros.

After running Base64, the sheet becomes unprotected. It is possible that this trick was used to get the user to allow macros, and to not be suspicious.

DEV-0139 also provided a second payload in this campaign. This package was an MSI for CryptoDashboardV2 apps. It suggests that the group is also responsible for other attacks using similar techniques to push custom payloads.

Attack overview (Microsoft)

Microsoft did not attribute the attack to any specific group, but instead linked it to DEV-0139, a cluster of threats. Threat intelligence firm Volexity also released its findings over the weekend linking it to North Korean Lazarus.

Volexity reports that the North Korean hackers made use of the malign crypto-exchange fees comparison spreadsheet to remove the AppleJeus malware Lazarus had previously used to hijack cryptocurrency and steal digital assets.

Volexity observed Lazarus also using a website replica for HaasOnline’s automated cryptocurrency trading platform, HaasOnline, to distribute the trojanized BloxHolder application. Instead of the AppleJeus malware embedded within QTBitcoinTrader, it would deploy the Trojanized BloxHolder App.

Microsoft claims it has notified affected customers and provided the necessary information to protect their accounts.

Lazarus Group, a North Korean hacking organization that operates out of North Korea since 2009 is active.

The operatives of the group are well-known for attacking high-profile targets around the world, such as banks and media outlets, or government agencies.

This group is believed to have been responsible for several high-profile cyberattacks, such as the or the in 2017.