Microsoft recently published a security threat intelligence blog focused on the spectacular growth of the cryptocurrency industry and how this has resulted in the ecosystem being targeted by an innovative wave of cyber attacks. It talks about a specific attack and further analysed the entire episode to point out insights regarding various such cyber attacks. Deep dive into the article to gain further insights into these happenings.
Microsoft conducted an enquiry into an alleged hack on a cryptocurrency startup. The details of the entire incident are as follows. A threat actor whose identity has been established as DEV-0139 ran a modus operandi which utilised telegram chats to target various organisations in the cryptocurrency ecosystem. The threat actor used telegram to establish contact with various high-profile individuals such as investors or founders associated with various organisations in the ecosystem. After gaining initial trust he requested these people to join a private telegram group associated with a threat actor and further did various activities to strengthen his ties.
Don’t download files!
Compromised friends may send a weaponized Excel file with the name “exchange fee comparision.xls”. It contains malicious code, encoded backdoor and etc.
Hackers target the cryptocurrency industry – Microsoft Security Blog https://t.co/62F1Yh4u5u
— CZ Binance (@cz_binance) December 7, 2022
The threat actor asked these individuals to give their specific feedback on the fee structures associated with various cryptocurrency exchange platforms. After this, the real plan unfolds. The threat actor sends a file titled “OKX Binance & Huobi VIP fee comparision.xls.” These files contained the real malware which initiated a series of backdoor activities in the receiver’s device. To cultivate an added layer of trust, legible technical data associated with the name of the file was already saved inside the file.
Also check: Crypto hacks via LinkedIn: Read How
Analysis of the file
The weaponized excel file initiated several actions on the receiver’s device which can be termed as follows.
The Excel file was already loaded with a malicious macro which can abuse the Userform of VBA. This process will facilitate the obfuscating of the code and aid in the retrieval of the data. After the malicious macro has gained a strong foothold in the device it will immediately drop another Excel sheet into the software which would be already embedded. The encoding of the Excel sheet is in base64 and the Excel is dropped into “C:ProgramDataMicrosoft Media” and it’s named “VSDB688.tmp“. Keep in mind that this entire process is conducted invisibly.
The file initiates the major part of compromising the system. It bifurcates its contents into three components. The first component is a Windows file which is completely legitimate. The second component is a version of “DLL wsock32.dll,” which is malicious. The third component is a backdoor which is XOR encoded.
The second component logagent.exe starts executing itself as sideload of the wsock32.dll, which in itself has executed itself as a DLL proxy associated with the real wsock32.dll,
This process allows the malicious file to decrypt the backdoor which is XOR encoded. This allows the threat actor to directly access the overall system of the organisation from a remote network.
Further, the article detailed the specific attack in a much more detailed manner. The blog itself referenced various technical aspects of the attacks.
The blog further noted that the entire attack mechanism isn’t a new method. Instead, a similar attack along the same lines was seen in June. During that attack, the threat actor used various “.dllfiles“. However, the mechanism during the previous pattern followed a similarly different technique. The Excel files were replaced by an MSI package. These packages were earmarked for a CryptoDashboardV2 application. This reveals the fact that various such attacks have been consistently going around in the ecosystem for some time.
Who is the entity behind these attacks
It’s being debated that DEV-0139 is the same entity that cybersecurity firm Volexity associated with Lazarus group which is sponsored by the state of North Korea had utilised in the past to use a specific type of malware known as “Applejeus” paired with an MSI ie. Microsoft installer. This incident had been already reported to the cybersecurity agencies in the United States by Kaspersky labs.