Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Excel Files. Show all posts

North Korean Lazarus Group Targeting Crypto Market via Telegram & Excel File


DEV-0139 uses targeted attacks to steal cryptocurrency investments 

Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely. 

The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms. 

In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks. 

DEV-0139 uses Telegram and Excel files to target victim

There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds. 

In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures. 

The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees. 

According to Microsoft, the weaponized Excel file initiates the following series of activities:

  • A malicious macro in the weaponized Excel file abuses the UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR-encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR-encoded backdoor that lets the threat actor remotely access the infected system.

The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group. 

It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020. 

To stay safe from such threats, Microsoft suggests:

1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.

2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.

3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.

4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.

5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:

  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
6. Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest. 






Malicious Excel Files are Now Being Employed to Propagate Revamped Emotet Malware

 

Cybersecurity researchers discovered that the infamous Emotet malware has altered methods yet again. In its latest campaign, the malware is able to access and use spreadsheets, documents, and other Microsoft programs, evading entry security. 

Emotet was identified in 2014 as a banking trojan, and it has been quite active in recent years. In this campaign, the botnet authors are using a relatively new module that steals payment card information from Google Chrome. 

According to Deep Instinct researchers, the current version of Emotet has led to a nine-fold surge in the use of Microsoft Excel macros compared with what researchers detected in the fourth quarter of 2021. The hackers that utilized this trojan were among the first to offer malware-as-a-service (MaaS). 

The latest malware still uses many of the same attack vectors as it had in the past, but this new technique is seen as being more effective in collecting and using stolen credentials. 

In a blog post on the re-emergence of Emotet, Chuck Everette, director of cybersecurity advocacy for Deep Instinct, which has been following the malware since the fourth quarter of last year, noted that the current malware variant uses many of the same “evasion methods” as previous versions. 

The malware has targeted customers in Japan, as well as the United States and Italy since this spring. The researchers detected the Emotet's re-emergence last November, and they noted that this evolved malware was even able to get past email gateway security. 

Additionally, the banking trojan is employing 64-bit shell code, as well as more advanced PowerShell and active scripts, “with nearly a fifth of all malicious samples exploiting the 2017 Microsoft vulnerability CVE-2017-11882,” according to reports. 

"We use internal code and binary similarity algorithms on our cloud backend to associate and correlate new variants of a select set of campaigns which we monitor very closely, Emotet being one of them," he explained. 

In particular, multiple static evasion methods are very characteristic of Emotet, and upticks in those in new variant waves are very indicative of malware activity. 

“The Emotet Gang are professionals. They know how to run a successful phishing campaign and have now upped their game with new sophisticated attack techniques,” Everette explained on his company’s blog on the re-emergence of Emotet. However, the primary delivery method is still phishing emails, and the human factor is the weakness. If you make yourself more difficult to attack than another company, they will go after the easier target. Make sure you're the harder target to penetrate. Educate your employees."