Site icon API Security Blog

DEV-0139 launches targeted attacks against the cryptocurrency industry

Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and [usage of info stealers](), as attackers attempt to get their hands on cryptocurrency funds.

We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.

After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name _OKX Binance & Huobi VIP fee comparision.xls_ which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:

1. A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
2. The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into _C:ProgramDataMicrosoft Media_ with the name _VSDB688.tmp_
3. The file _VSDB688.tmp_ downloads a PNG file containing three executables: a legitimate Windows file named _logagent.exe_, a malicious version of the DLL _wsock32.dll_, and an XOR encoded backdoor.
4. The file _logagent.exe_ is used to sideload the malicious _wsock32.dll_, which acts as a DLL proxy to the legitimate _wsock32.dll_. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
![diagram](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-1.-Overview-of-the-attack-1024×527.png)Figure 1. Overview of the attack

Further investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a _CryptoDashboardV2_ application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.

In this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency investment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and prepare for possible attacks. Researchers at [Volexity]() recently published their findings on this attack as well.

As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

## Initial compromise

To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the specific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with the name <_NameOfTheTargetedCompany> <> OKX Fee Adjustment_ and inviting three employees. The threat actor created fake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the malicious ones for two of the users present in the group.

![text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-2.-Legitimate-profiles-of-cryptocurrency-exchange-employees-left-and-fake-profiles-created-by-the-threat-actor-right-1-926×1024.png)Figure 2. Legitimate profiles of cryptocurrency exchange employees (left) and fake profiles created by the threat actor (right)

It’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges the targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto exchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be optimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come from fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well prepared before contacting their target.

After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information.

## Weaponized Excel file analysis

The weaponized Excel file, which has the file name _OKX Binance & Huobi VIP fee comparision.xls_ (Sha256: abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate information about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created by the user _Wolf_:

File name****| **OKX Binance & Huobi VIP fee comparision.xls**
—|—
CompObjUserTypeLen****| 31
CompObjUserType****| Microsoft Excel 2003 Worksheet
ModifyDate****| 2022:10:14 02:34:33
TitleOfParts****| Comparison_Oct 2022
SharedDoc****| No
Author****| Wolf
CodePage****| Windows Latin 1 (Western European)
AppVersion****| 16
LinksUpToDate****| No
ScaleCrop****| No
LastModifiedBy****| Wolf
HeadingPairs****| Worksheets, 1
FileType****| XLS
FileTypeExtension****| xls
HyperlinksChanged****| No
Security****| None
CreateDate****| 2022:10:14 02:34:31
Software****| Microsoft Excel
MIMEType****| application/vnd.ms-excel
![graphical user interface, application, Excel](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-3.-The-information-in-the-malicious-Excel-file-1024×544.png)Figure 3. The information in the malicious Excel file

The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is _IFUZYDTTOP_, and the macro retrieves the information with the following code _IFUZYDTTOP.MgQnQVGb.Caption_ where _MgQnQVGb_ is the name of the label in the UserForm and _.caption_ allows to retrieve the information stored into the UserForm.

The table below shows the data retrieved from the UserForm:

**Obfuscated data**| **Original data**
—|—
**IFUZYDTTOP.nPuyGkKr.Caption & IFUZYDTTOP.jpqKCxUd.Caption**| MSXML2.DOMDocument
**IFUZYDTTOP.QevjtDZF.Caption**| b64
**IFUZYDTTOP.MgQnQVGb.Caption**| bin.base64
**IFUZYDTTOP.iuiITrLG.Caption**| Base64 encoded Second Worksheet
**IFUZYDTTOP.hMcZvwhq.Caption**| C:ProgramDataMicrosoft Media
**IFUZYDTTOP.DDFyQLPa.Caption**| VSDB688.tmp
**IFUZYDTTOP.PwXgwErw.Caption & IFUZYDTTOP.ePGMifdW.Caption**| Excel.Application

The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory _C:ProgramDataMicrosoft Media_ as _VSDB688.tmp_ and runs in invisible mode.

![text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-4.-The-deobfuscated-code-to-load-the-extracted-worksheet-in-invisible-mode..png)Figure 4. The deobfuscated code to load the extracted worksheet in invisible mode.

Additionally, the main sheet in the Excel file is protected with the password _dragon_ to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.

### Extracted worksheet

The second Excel file, _VSDB688.tmp_ (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:

File Name****| **VSDB688.tmp**
—|—
CompObjUserType****| Microsoft Excel 2003 Worksheet
ModifyDate****| 2022:08:29 08:07:24
TitleOfParts****| Sheet1
SharedDoc****| No
CodePage****| Windows Latin 1 (Western European)
AppVersion****| 16
LinksUpToDate****| No
ScaleCrop****| No
CompObjUserTypeLen****| 31
HeadingPairs****| Worksheets, 1
FileType****| XLS
FileTypeExtension****| xls
HyperlinksChanged****| No
Security****| None
CreateDate****| 2006:09:16 00:00:00
Software****| Microsoft Excel
MIMEType****| application/vnd.ms-excel
![graphical user interface, application](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-5.-The-second-file-is-completely-empty-but-contains-the-same-UserForm-abuse-technique-as-the-first-stage.-1024×586.png)Figure 5. The second file is completely empty but contains the same UserForm abuse technique as the first stage.

The table below shows the deobfuscated data retrieved from the UserForm:

**Obfuscated data**| **Original data**
—|—
**GGPJPPVOJB.GbEtQGZe.Caption & GGPJPPVOJB.ECufizoN.Caption**| MSXML2.DOMDocument
**GGPJPPVOJB.BkxQNjsP.Caption**| b64
**GGPJPPVOJB.slgGbwvS.Caption**| bin.base64
**GGPJPPVOJB.kiTajKHg.Caption**| C:ProgramDataSoftwareCache
**GGPJPPVOJB.fXSPzIWf.Caption**| logagent.exe
**GGPJPPVOJB.JzrHMGPQ.Caption**| wsock32.dll
**GGPJPPVOJB.pKLagNSW.Caption**| 56762eb9-411c-4842-9530-9922c46ba2da
**GGPJPPVOJB.grzjNBbk.Caption**| /shadow
**GGPJPPVOJB.aJmXcCtW.Caption & GGPJPPVOJB.zpxMSdzi.Caption**| MSXML2.ServerXMLHTTP.6.0
**GGPJPPVOJB.rDHwJTxL.Caption**| Get
| |

The macro retrieves some parameters from the UserForm then downloads a PNG file from _hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png_. The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.

![text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-6.-Deobfuscated-code-that-shows-the-download-of-the-file-Background.png)Figure 6. Deobfuscated code that shows the download of the file _Background.png_

The PNG is then split into three parts and written in three different files: the legitimate file _logagent.exe,_ a malicious version of w_sock32.dll_, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.

![text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-7.-The-three-files-are-written-into-ProgramData-SoftwareCache-and-run-using-the-CreateProcess-API.png)Figure 7. The three files are written into _C:\ProgramDataSoftwareCache_ and run using the _CreateProcess_ API

## Loader analysis

Two of the three files extracted from the PNG file, _logagent.exe_ and _wsock32.dll_, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.

### Logagent.exe

_Logagent.exe_ (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.

The file contains the following metadata, but it is not signed:

**Description ******| **Value******
—|—
**language******| English-US
**code-page**| Unicode UTF-16 little endian
**CompanyName******| Microsoft Corporation
**FileDescription**| Windows Media Player Logagent
**FileVersion******| 12.0.19041.746
**InternalName**| logagent.exe
**LegalCopyright******| © Microsoft Corporation. All rights reserved.
**OriginalFilename**| logagent.exe
**ProductName******| Microsoft® Windows® Operating System
**ProductVersion**| 12.0.19041.746

The _logagent.exe_ imports function from the _wsock32.dll_ which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious _wsock32.dll_, _logagent.exe_ is run with the following arguments previously retrieved by the macro: _56762eb9-411c-4842-9530-9922c46ba2da /shadow_. Both arguments are then retrieved by _wsock32.dll_. The GUID _56762eb9-411c-4842-9530-9922c46ba2da_ is the filename for the malicious _wsock32.dll_ to load and _/shadow_ is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.

![graphical user interface, text, application, email](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-8.-Command-line-execution-from-the-running-process-logagent.exe_-1024×489.png)Figure 8. Command line execution from the running process logagent.exe

### Wsock32.dll

The legitimate _wsock32.dll_ is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of _wsock32.dll_ to evade detection. The malicious _wsock32.dll_ is loaded by _logagent.exe_ through DLL side-loading and uses DLL proxying to call the legitimate functions from the real _wsock32.dll_ and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious _wsock32.dll_ acts as a proxy between _logagent.exe_ and the legitimate _wsock32.dll_.

It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:

![table](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-9.-Import-Address-Table-from-wsock32.dll_.png)Figure 9. Import Address Table from _wsock32.dll_ ![table](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-10.-Retrieving-data-with-PeStudio-revealed-the-original-file-name-for-the-malicious-wsock32.dll_.-1024×173.png)Figure 10. Retrieving data with PeStudio revealed the original file name for the malicious _wsock32.dll._

When the malicious _wsock32.dll_ is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the _CreateFile_ API to retrieve a file handle.

![text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-11.-Verification-of-the-presence-of-the-file-56762eb9-411c-4842-9530-9922c46ba2da-for-decryption-1024×740.png)Figure 11. Verification of the presence of the file _56762eb9-411c-4842-9530-9922c46ba2da for decryption_

The malicious _wsock32.dll_ loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.

**SHA256******| **2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb******
—|—
**Imphash******| 52ff8adb6e941e2ce41fd038063c5e0e
**Rich PE Hash**| ff102ff1ac1c891d1f5be7294035d19e
**Filetype******| PE32+ DLL
**Compile Timestamp**| 2022-08-29 06:33:10 UTC

Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.

## Related attack

We identified another file using a similar mechanism as _logagent.exe_ and delivering the same payload. The loader is packaged as an MSI package and as posed an application called _CryptoDashboardV2_ (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called _tplink.exe_ to sideload the malicious DLL called _DUser.dll _and uses DLL proxying as well.

creation datetime****| **11/12/2009 11:47**
—|—
author****| 168 Trading
title****| Installation Database
page count****| 200
word count****| 2
keywords****| Installer, MSI, Database
last saved****| 11/12/2009 11:47
revision number****| {30CD8B94-5D3C-4B55-A5A3-3FC9C7CCE6D5}
last printed****| 11/12/2009 11:47
application name****| Advanced Installer 14.5.2 build 83143
subject****| CryptoDashboardV2
template****| x64;1033
code page****| Latin I
comments****| This installer database contains the logic and data required to install CryptoDashboardV2.
![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-12.-Installation-details-of-the-MSI-file.png)Figure 12. Installation details of the MSI file

Once the package is installed, it runs and side-loads the DLL using the following command: _C:UsersuserAppDataRoamingDashboard_v2TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven_, where it noticeably uses a different GUID.

Further analysis of the malicious _DUser.dll_ showed that its original name is also _HijackingLib.dll_, same as the malicious_ wsock32.dll_. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of _DUser.dll_:

**SHA256******| **90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33******
—|—
**Imphash******| 52ff8adb6e941e2ce41fd038063c5e0e
**Rich PE Hash**| ff102ff1ac1c891d1f5be7294035d19e
**Filetype******| Win32 DLL
**Compile Timestamp**| 2022-06-20 07:47:07 UTC

Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name _27E57D84-4310-4825-AB22-743C78B8F3AA_ and the XOR key _/sven_.

## Implant analysis

The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:

**SHA256******| **ea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5******
—|—
**Imphash******| 96321fa09a450119a8f0418ec86c3e08
**Rich PE Hash**| 8c4fb0cb671dbf8d859b875244c4730c
**Filetype******| Win32 DLL
**Compile Timestamp**| 2022-06-20 00:51:33 UTC

First, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive commands from it.

![text](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-13.-Details-about-the-connection-to-the-C2..png)Figure 13. Details about the connection to the C2. ![graphical user interface, text, application, chat or text message](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Figure-14.-The-sample-is-connecting-back-to-the-domain-name-strainservice.com_..png)Figure 14. The sample is connecting back to the domain name _strainservice[.]com_.

## Infrastructure

It is interesting to notice that the threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive account has been set up quickly for a one shot, indicating that it was created for only one target.

We identified one domain used as C2 server, _strainservice[.]com_ and connected back to the two implants. This domain was registered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had port 80, 443, and 2083. The implants were communicated on port 443.

## Defending against targeted attacks

In this report we analyzed a targeted attack on cryptocurrency investment fund startups. Such companies are relatively new, but manage hundreds of millions of dollars, raising interest by threat actors.

In this attack we identified that the threat actor has broad knowledge of the cryptocurrency industry as well as the challenges their targets may face, increasing the sophistication of the attack and their chance of success. The threat actor used Telegram, an app widely used in the field, to identify the profile of interest, gained the target’s trust by discussing relevant topics, and finally sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, the second attack identified was luring a fake crypto dashboard application.

The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success. While the biggest companies can be targeted, smaller companies can also be targets of interest. The techniques used by the actor covered in this blog can be mitigated by adopting the security considerations provided below:

* Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
* Educate end users about [protecting personal and business information]() in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
* Educate end users about [preventing malware infections](), such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the [Microsoft Defender Firewall]() (which is enabled by default) is always on to prevent malware infection and stifle propagation.
* [Change Excel macro security settings]() to control which macros run and under what circumstances when you open a workbook. Customers can also [stop malicious XLM or VBA macros]() by ensuring runtime macro scanning by Antimalware Scan Interface ([AMSI]()) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
* Turn on [attack surface reduction rules]() to prevent common attack techniques observed in this threat:
* Block Office applications from creating executable content
* Block Office communication application from creating child processes
* Block Win32 API calls from Office macros
* Ensure that [Microsoft Defender Antivirus]() is up to date and that real-time behavior monitoring is enabled.

## Detection details

### Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

* TrojanDownloader:O97M/Wolfic.A
* TrojanDownloader:O97M/Wolfic.B
* TrojanDownloader:O97M/Wolfic.C
* TrojanDownloader:Win32/Wolfic.D
* TrojanDownloader:Win32/Wolfic.E
* Behavior:Win32/WolficDownloader.A
* Behavior:Win32/WolficDownloader.B

### Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

* An executable loaded an unexpected dll
* DLL search order hijack
* ‘Wolfic’ malware was prevented

## Advanced hunting queries

The following hunting queries locate relevant activity.

Query that looks for Office apps that create a file within one of the known bad directories:

DeviceFileEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “outlook” “powerpnt”)
| where ActionType == “FileCreated”
| where parse_path( FolderPath ).DirectoryPath has_any(
@”C:ProgramDataMicrosoft Media”,
@”C:ProgramDataSoftwareCache”,
@”RoamingDashboard_v2″
)
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName, SHA256, InitiatingProcessAccountName, InitiatingProcessAccountDomain

Query that looks for Office apps that create a file within an uncommon directory (less that five occurrences), makes a set of each machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:

DeviceFileEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “outlook”, “powerpnt”)
| where ActionType == “FileCreated”
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize PathCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256
| where PathCount )

To supplement this indicator matching customers can use the Advanced Hunting queries listed above against Microsoft 365 Defender data ingested into their workspaces as well as the following Microsoft Sentinel queries:

* Least common parent and child process pairs:
* Detect anomalous process trees:

## Indicators of compromise

**IOC**| **Filename/Type**| ** Description**
—|—|—
abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0| OKX Binance & Huobi VIP fee comparision.xls| Weaponized Excel file
17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b| OKX Binance & Huobi VIP fee comparision.xls| Weaponized Excel file
a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9| VSDB688.tmp| Second worksheet dropped
2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb| wsock32.dll / HijackingLib.dll| Malicious dropper that acts as a DLL proxy to legit wsock32.dll
82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629| Duser.dll|
90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33| Duser.dll / HijackingLib.dll| Malicious dropped that acts as a DLL proxy to the legit Duser.dll
e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487| 4acbe3.msi| Fake CryptoDashboard application MSI package delivering Duser.dll
82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629| 43d972.msi| Second fake application BloxHolder delviering Duser.dll
ea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5| DLL| Implant loaded by Duser.dll
C:ProgramDataSoftwareCachewsock32.dll| Path| Path of wsock32.dll
C:UsersuserAppDataRoamingDashboard_v2DUser.dll| Path| Path of Duser.Dll
C:Program FilesCryptoDashboardV2| Path| Path of the fake app
C:ProgramDataMicrosoft MediaVSDB688.tmp| Path| Path of the second worksheet
hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png| Background.png downloaded from OpenDrive| Png file downloaded on the victim machines
strainservice.com| Domain/C2| Command and control server
198.54.115.248| IP/C2| IP of the C2
56762eb9-411c-4842-9530-9922c46ba2da | GUID| GUID used
27E57D84-4310-4825-AB22-743C78B8F3AA| GUID| GUID used
TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven| Command line| Command line runs by the legit exe
logagent.exe 56762eb9-411c-4842-9530-9922c46ba2da /shadow| Command line| Command line runs by the legit file

## MITRE ATT&CK techniques

Tactics| Technique ID| Name| Description
—|—|—|—
Reconnaissance|
[T1591]()| Gather Victim Org Information| The attackers gathered information about the targets reaching them on Telegram with a clear understanding of their challenges.
| [T1593.001]()| Social Media| Attackers identified the targets on specific crypto currencies group on Telegram.
Resource Development| [T1583.001]()| Acquire Infrastructure: Domains| Attackers registered the domain “strainservice.com” on June 18
Initial Access | [T1566.001]()| Spearphishing Attachment| Attackers sent a weaponized Excel document.
Execution
Execution| [T1204.002]()| User Execution: Malicious File| The targeted user must open the weaponized Excel document and enable macros.
| [T1059.005]()| Command and Scripting Interpreter: Visual Basic| Attackers used VBA in the malicious excel document “OKX Binance & Huobi VIP fee comparision.xls” to deliver the implant.
| [T1106]()| Native API| Usage of CreateProcess API in the excel document to run the executable.
Persistence, Privilege Escalation, Defense Evasion| [T1574.002]()| DLL side-Loading
| The attackers abused the legitimate Logagent.exe to side-load the malicious wsock32.dll and the legitimate TPLink.Exe to side load Duser.dll
Defense Evasion| [T1027]()| Obfuscated file or information| The malicious VBA is obfuscated using UserForm to hide variable and data.
| [T1036.005]()| Masquerading: Match Legitimate Name or Location
| The attackers are using legitimate DLL name that acts as DLL Proxy to the original one (wsock32.dll and Duser.dll).
| [T1027.009]()| Obfuscated Files or Information: Embedded Payloads| The malicious DLL are dropping the implant into the machine.
Command & Control| [T1071.001]()| Application Layer Protocol: Web Protocols
| The implant is communicating to the remote domain through port 80 or 443.
| [T1132]()| Data Encoding| The implant is encoding the data exchanged with the C2.
Exfiltration| [T1041]()| Exfiltration over C2 channel
| The implant has the ability to exfiltrate information.

The post [DEV-0139 launches targeted attacks against the cryptocurrency industry]() appeared first on [Microsoft Security Blog]().Read More

Exit mobile version