According to Microsoft, a threat actor has been found to be concentrating on bitcoin investment start-ups. In order to remotely access systems, a group Microsoft has identified as DEV-0139 pretended to be a cryptocurrency investment firm on Telegram and used an Excel file weaponized with “well-crafted” malware.
The danger fits into a pattern of recent highly sophisticated strikes. According to a blog post by Microsoft on December 6, the threat actor in this instance joined Telegram channels “used to enable contact between VIP clients and cryptocurrency exchange platforms” while falsely posing as OKX staff. Microsoft further elucidated,
“We are […] seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads.”
The target was requested to join a new group and then provided with an Excel document that contrasted the VIP fee structures for OKX, Binance, and Huobi. A malicious.dll (Dynamic Link Library) software was secretly sideloaded into the user’s machine along with accurate information and a high level of awareness about the reality of cryptocurrency trading. During the discussion of fees, the target was then instructed to open the.dll file by themselves.
Long Known Attack Technique For Cryptocurrency Funds
The attack method itself is well known. Microsoft asserted that the threat actor was the same as the one discovered using.dll files for related objectives in June and was likely responsible for other cases. Using the AppleJeus malware version and an MSI, DEV-0139 is the same actor that cybersecurity firm Volexity connected to North Korea’s state-sponsored Lazarus Group, according to Microsoft (Microsoft installer). Kaspersky Labs reported on AppleJeus in 2020, and the government cybersecurity and infrastructure security agency of the United States documented it in 2021.
Lazarus Group has been formally linked to North Korea’s nuclear weapons program by the U.S. Treasury Department.
The Office of Foreign Asset Control, or OFAC, of the United States Treasury Department has revised the sanctions on cryptocurrency mixer Tornado Cash and added two people to its list of specially designated persons who are engaged in “transportation and procurement activities” for North Korea.
The Department of the Treasury declared on Nov. 8 that it had “delisted and simultaneously renamed” Tornado Cash in addition to using the actions of North Korean citizens Ri Sok and Yan Zhiyong as the foundation for penalties. The government department reaffirmed its allegations that the crypto mixer was involved in the laundering of $455 million in cryptocurrency that had been stolen by the Lazarus Group, which has ties to North Korea.