The tech platform Microsoft’s security division has probed into an attack where a bad actor was aiming at some crypto investment firms. The malicious actor, who reportedly goes by DEV-0139, remained successful in infiltrating chat groups developed on Telegram (a famous messaging app) to masquerade.
The attacker pretended to be a crypto investment firm. They allured the victims by saying that they intend to discuss trading charges with the prominent consumers of the well-known exchanges.
Tech Giant Microsoft Uncovers an Attack Victimizing Crypto Platforms
The hacker had substantial knowledge regarding the messaging app and thus conveniently won the trust of the victim. As per Microsoft, the bad actor identified its target from among the Telegram groups and then invited them to a separate chat group.
The attacker posed that they want to have the victim’s feedback on the fee structure utilized by the exchanges of cryptocurrency. The target of the bad actor was to deceive the crypto-related investment funds by tricking them into downloading the excel file sent to them.
Although the respective document offers precise information dealing with the fee structure of the top crypto exchange platforms, it additionally comprises a malicious command.
That command executes a separate Excel sheet without being visible. Along with this, a file entitled “VSDB688.tmp” is dropped in the targeted system and downloads a PNG file that comprises 3 more executable files.
One among them is a genuine Windows file entitled logagent.exe. The second being downloaded is DLL’s malicious version under the name wsock32.dll. While the 3rd one is a backdoor file encoded with XOR.
The purpose of the logagent.exe file is to simultaneously load the malicious wsock32.dll to operate in the form of a DLL proxy to genuine wsock32.dll. The use of a DLL file is done for the loading and decryption of the XOR-encoded file as a backdoor.
As a result, the malicious actor gets permission to have remote access to the infected system of the victim. Additional inquiry brought to the front that another file utilizes the analogous technique of DLL proxy. However, it is offered in an MSI suite for a CryptoDashboarV2 app, rather than a corrupt Excel file.
Findings Caution about Other Such Campaigns Using the Same Technique
The findings additionally point out that some other campaigns could also depend on the respective techniques to exploit the crypto entities.
In the blog post published by the tech firm, it specified that the platform will offer further details regarding additional research on the matter of the attacks focusing on crypto investment entities. Apart from that, it will also present particulars covering the examination of the files used in such cases.
As per the tech giant, this would assist similar institutions regarding the nature of the attacks and get ready to cope with such a situation.
Recently, Volexity’s researchers issued their findings on the same attack. Microsoft asserted that it straightly informs the consumers being compromised or targeted and offers the relevant data, enabling them to protect their accounts.
The DEV-#### designations are used by the platform as a momentary title to a developing, emerging, or an unknown bunch of threat operation.
This lets Microsoft Threat Intelligence Center (MSTIC) label it as an exclusive information set till getting confident regarding the identity or origin of the actor at the back of the respective activity. After meeting the specified criteria, the system converts a DEV into an entitled actor.