CEO of the major crypto exchange Binance Changpeng ‘CZ’ Zhao took to Twitter to warn about the latest hack type targeting the cryptoverse – one executed by “the threat actor [with] broad knowledge of the cryptocurrency industry.”
“Don’t download files!”, said CZ on Tuesday.
He went on to explain that users may receive a file from a friend, but that that friend may have already been compromised. This person may share “a weaponized Excel file” with the name “exchange fee comparision.xls”, which contains a malicious code, among other threats, targeting crypto funds.
CZ referred to a Microsoft Security Threat Intelligence blog post published this Tuesday, which discusses “targeted attacks against the cryptocurrency industry.”
The blog post states that, given the rise of the crypto market over the past several years, it hasn’t attracted the attention of only investors – but of threat actors too, who directly target organizations within the cryptocurrency industry for financial gain.
They found that,
“Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.”
Don’t trust your friends
There are also novel tactics being developed, the report said, one of which was employed by a treat actor tracked as DEV-0139 (a designation as a temporary name given to an unknown cluster of threat activity until they are identified and named).
“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” said the report.
DEV-0139 joined Telegram chat groups to target crypto investment companies. They facilitated communication between VIP clients and crypto exchanges, then identified their target from among the members.
The threat actor posed as representatives of another crypto investment company, and in October 2022 invited the target to a different chat group where they pretended to ask for feedback on the fee structure used by exchanges.
“The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have,” the team said.
However, after gaining the target’s trust, DEV-0139 sent a weaponized Excel file that included names of major exchanges, titled ‘OKX Binance & Huobi VIP fee comparision.xls’, which contained several tables about fee structures among exchanges. Notably, “the data in the document was likely accurate to increase their credibility.”
The attack
The weaponized Excel file initiates a series of activities, per the report. It starts with a macro, which is an action or a set of actions that can be recorded and executed as many times and as often as needed – when users create a macro, mouse clicks and keystrokes are recorded.
In this hack, a malicious macro in the file works to obfuscate certain relevant codes and retrieve some data. It will then drop another Excel sheet into C:\ProgramData\Microsoft Media\ and execute it in invisible mode. The file then downloads a PNG file containing three executables: a legitimate Windows file, a malicious version of an executable file, and an encoded backdoor.
All this combined “lets the threat actor remotely access the infected system.”
And there is more
The report stated that the team discovered yet another file that uses a similar technique, but instead of a malicious Excel file, it is delivered in an MSI (Microsoft Software Installer) package for a CryptoDashboardV2 application, dated June 2022.
“This may suggest other related campaigns are also run by the same threat actor, using the same techniques,” it said.
How to defend yourself
The report stated that DEV-0139 has “a broad knowledge of the cryptocurrency industry,” and that both big and small companies may become targets.
The techniques used by the threat actor can be mitigated by adopting the suggested security considerations, they said. While these are instructions for companies, an individual can use the measures to protect themselves as well:
- change Excel macro security settings to control which macros run and under what circumstances when a workbook is opened;
- turn on attack surface reduction rules to prevent common attack techniques observed above;
- ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled;
- use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion;
- educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing emails and watering holes, and reporting of reconnaissance attempts and other suspicious activity;
- educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks;
- encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall is always on.
The crypto industry, be it companies or individuals, has become a common target of various types of attacks. You can find out more about this issue here.
____
Learn more:
– Binance CEO Warns Users to Be Vigilant as Dark Web Hackers Auction Off 500 Million Whatsapp Numbers
– Binance CEO Says They’re Closer to Identifying Hacker Behind $570,000,000 Exploit
– 25 Year-Old Hacker Jailed For Stealing $20 Million in Crypto – Find Out How He Did It
– DeFi Protocol Ankr Suffers Infinity Minting Exploit – Here’s What Happened
