Threat actors have been observed targeting companies operating within the cryptocurrency industry for financial gain.
According to a new advisory published by Microsoft on Tuesday, attacks targeting this market have taken several forms over the past few months, including fraud, vulnerability exploitation, fake applications and info stealer deployment.
“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” the tech giant wrote.
One of the threat actors observed by Microsoft and operating in this industry is DEV-0139, who used Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange firms and thus identified their target among the members.
“The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022, invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms,” Microsoft explained.
“The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.”
After establishing the first contact with potential victims, DEV-0139 sent a weaponized Excel file that contained tables about fee structures among cryptocurrency exchange companies.
Microsoft suggested the data in the document was possibly accurate to increase their credibility, but once executed, the malicious file infected the victim’s machine, achieved persistence and installed a backdoor for subsequent remote access.
“Further investigation through our telemetry led to the discovery of another file that uses the same DLL [dynamic link library] proxying technique. But instead of a malicious Excel file, it is delivered in an MSI [Microsoft installer] package,” Microsoft wrote. “This may suggest other related campaigns are also run by the same threat actor, using the same techniques.”
To defend against this type of attack, the company has included in its advisory a list of indicators of compromise (IoC) alongside other security considerations.
The information about the new threats comes weeks after decentralized finance (DeFi) platform Moola Market suffered a security incident leading to a loss of up to $9m in cryptocurrency.