The security division of Microsoft, in a press release yesterday, December 6, uncovered an attack targeting cryptocurrency startups. They gained trust through Telegram chat and sent an Excel titled “OKX Binance and Huobi VIP fee comparison.xls,” which contained malicious code that could remotely access the victim’s system.

The Security threat intelligence team has tracked the threat actor as DEV-0139. The hacker was able to infiltrate chat groups on Telegram, the messaging app, masquerading as representatives of a crypto investment company and pretending to discuss trading fees with VIP clients of major exchanges. 

The goal was to trick crypto investment funds into downloading an Excel file. This file contains accurate information about the fee structures of major cryptocurrency exchanges. On the other hand, it has a malicious macro that runs another Excel sheet in the background. With this, this bad actor gains remote access to the victim’s infected system. 

Microsoft explained, “The main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros.” They added, “The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.”

According to reports, in August, the cryptocurrency mining malware campaign infected more than 111,000 users.

Threat intelligence connects DEV-0139 to the North Korean Lazarus threat group.

Along with the malicious macro Excel file, DEV-0139 also delivered a payload as part of this trickery. This an MSI package for a CryptoDashboardV2 app, that pays out the same obtrusion. This had made several intelligence suggest that they’re also behind other attacks using the same technique to push custom payloads.

Before the recent discovery of DEV-0139, there had been other similar phishing attacks that some threat intelligence teams suggested might be the workings of DEV-0139. 

The threat intelligence company Volexity also released its findings about this attack over the weekend, linking it to the North Korean Lazarus threat group.

According to Volexity, the North Korean hackers use similar malicious crypto-exchange fee comparison spreadsheets to drop the AppleJeus malware. This is what they have used in cryptocurrency hijacking and digital asset theft operations.

Volexity has also uncovered Lazarus using a website clone for the HaasOnline automated crypto trading platform. They distribute a trojanized Bloxholder app that would instead deploy AppleJeus malware bundled within the QTBitcoinTrader app.

The Lazarus Group is a cyber threat group operating in North Korea. It has been active since around 2009. It is notorious for attacking high-profile targets worldwide, including banks, media organizations, and government agencies.

The group is also suspected to be responsible for the 2014 Sony Pictures hack and the WannaCry ransomware attack of 2017.