DEV-0139 Tailors Attack Against Cryptocurrency Organizations
Category: Threat Actor Activity | Industry: Financial | Level: Tactical | Source: Microsoft
Microsoft Security Threat Intelligence team discovered threat actor DEV-0139 targeting cryptocurrency organizations through Telegram groups to launch targeted attacks. Through their chat communications, the threat actors demonstrated they were well-versed in the cryptocurrency space, elevating their facade against targeted organizations. As observed by Microsoft, "DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms."
Once trust has been established between the threat actor and their targets, they initiate delivery of weaponized Office documents to facilitate the download of malicious payloads used to connect to their attack infrastructure. Payloads involved in the attack have involved the use of legitimate Windows log error software, logagent.exe, a malicious DLL for DLL sideloading, and an XOR-encoded backdoor. The attack structure shares similarities with an attack reported by researchers from Volexity, tracked to the Lazarus threat group distributing their AppleJesus malware.
- Weaponized File Downloads EXE or DLL
Anvilogic Use Cases:
- Rare executable from Microsoft Office
- MSIExec Install MSI File
- Create/Modify Schtasks