According to Microsoft researchers, they managed to uncover a series of cyber attacks, during which the cluster under the identifier DEV-0139 used Telegram chats to carry out cyber attacks on crypto investors. The attack took place according to the following scenario:
- Attackers join the chat that is used to communicate between crypto exchanges and their VIP clients;
- Having chosen a victim, hackers impersonate representatives of another crypto exchange and invite her to another chat;
- After gaining the trust of the target, the cybercriminals send it a malicious Excel spreadsheet called "OKX Binance & Huobi VIP fee comparision.xls" with commissions for VIP clients from different cryptocurrency exchanges;
- Once the victim opens the table and enables macros, the second sheet of the table downloads and parses the PNG image to extract the malicious DLL, the XOR-encrypted backdoor, and the exe file, which is then used to sideload the DLL;
- The DLL is decrypted and installs a backdoor that gives hackers remote access to the victim's system.
To induce the victim to disable macros, the attackers protected the main sheet of the table with a password, which is removed after installing and running another file saved in base64 format.
Further investigation allowed specialists to discover another file - an MSI package for the fake CryptoDashboardV2 application, with which the attackers could also install a backdoor on the victim's system.