Microsoft revealed that malicious entities are getting more sophisticated by the day. According to a new report, Telegram chat groups are being used to target cryptocurrency investment companies.
The tech giant identified a threat actor – DEV-0139 – who infiltrated Telegram groups posing as a representative of a crypto platform.
Targetted Attacks Against Crypto Companies
The post published by Microsoft’s Security Threat Intelligence team stated the threat actors had significant knowledge of the crypto investment industry and invited at least one target (posing as representatives of other crypto asset management firms) to another Telegram group. The main goal is to engage and discuss a relevant topic to gain the target’s trust.
The attackers sent them malware-laced Excel spreadsheets that contain well-crafted information to appear legitimate. Once opened, the weaponized Excel file enables macros, and a second worksheet embedded in the file will download and parse a PNG file to extract a malicious DLL, an XOR-encoded backdoor, and a legitimate Windows executable later used to sideload the DLL, which will decrypt and load the backdoor. This will essentially provide the threat actor with remote access to the target’s compromised system.
Microsoft could not retrieve the final payload but detected another variant of this attack and retrieved the payload. The company’s findings highlighted the existence of other campaigns that leverage the same…
