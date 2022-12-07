VIP clients of cryptocurrency exchanges, especially cryptocurrency investment companies, have become the target of a highly sophisticated phishing attack, warns Microsoft.

In a recent report (opens in new tab)Microsoft said it had observed an unknown threat actor tagged as DEV-0139 moving into Telegram groups “used to facilitate communication between VIP clients and cryptocurrency exchange platforms”.

After identifying potential victims, the group approached these users, assuming the identity of a peer – another cryptocurrency investment company – and asked for feedback on the fee structure used by various cryptocurrency exchange platforms. Such an incident was observed on October 19, 2022.

Attackers aware

According to Microsoft, the group has “broader knowledge” of this part of the industry, suggesting that the fee structure it shared with victims is likely accurate. The structure itself was presented in a Microsoft Excel file and then the real problems begin.

The file, titled “OKX Binance & Huobi VIP fee comparision.xls”, is protected with a “password dragon”, which means that the victim must enable macros in order to view its contents.

Enabling macros also creates a bunch of problems: the file has a second, embedded spreadsheet, which downloads and parses a PNG file, which extracts a malicious DLL, an XOR-encoded backdoor, and a clean Windows executable that would later be are used to sideload the malicious DLL.

After all is said and done, the attackers gain remote access to the target’s endpoint (opens in new tab).

While Microsoft does not associate this group with a known threat actor and retains the label DEV-0139 (the DEV label is typically used for threat actors that are not yet associated with a known group), a separate report from threat intelligence experts Volexity claims that this is , in fact, BleepingComputer has found Lazarus Group, a notorious North Korean state-sponsored threat actor.

Apparently, in the past, Lazarus used the cryptocurrency fee comparison spreadsheet to infect its targets with the AppleJeus malware.

Through: Beeping computer (opens in new tab)