Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely.
The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms.
In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks.
There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds.
In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures.
The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees.
The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group.
It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020.
1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.
3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:
The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest.
Earlier this week, North Korea tried to get access to the systems of an Israeli company that does business in the field of cryptocurrency and extracts the money that Pyongyang planned to use for its nuclear program.
The hacking attack was done by North Koreans disguising themselves as the company's Japanese supplier. The hacking attempt was immediately caught by cybersecurity personnel from the "Konfidas" agency, which was able to stop the hack.
Authorities say the attempt was sophisticated and professional, unique tools were used- something that caught the eye of concerned authorities in Israel.
The attacks do not happen overnight. There is a pattern behind the operation of most attacks, in the first step, the hacker does a conversation with the person on the other end, and gains your trust. After that, the hacker sends a malicious file containing the virus which is aimed to infiltrate the computer.
Once the file reaches the computer, it will start spreading out on the network and access financial assets or data that the hacker wants, and in the end, can do whatever he wishes.
Ransom demands generally happen in financial attacks, threat actors behind them are cyber criminals who intend to steal data and ask for ransom in exchange for not leaking the data and releasing the systems.
In this particular incident, the North Korean mode of operation is a pattern in which the actors simply spy, steal money, and vanish. There is no user interaction except that he has to open the malicious files which allow the hacker to take control of the systems.
North Korean hackers are believed to be behind the theft of around $100 million in cryptocurrency from a US company earlier this year in June, as the country is trying to manage funding for its nuclear and ballistic missile programs.
The assets were stolen from "Horizon Bridge," a Harmony blockchain service that lets assets to be sent to other blockchains. Following the theft, the activities by threat actors suggest that they may be linked to North Korea. Experts believe these actors to be highly skilled in the field of cyber penetration attacks.
Threat actor SharpTongue, which is linked to North Korea, was found using a malicious extension on Chromium-based browsers to keep surveillance on victims' Gmail and AOL email accounts. Experts from cybersecurity agency Volexity found the hackers as SharpTongue, but its activities coincide with one of the Kimsuky APT groups.
The SharpTongue's toolset was covered by Huntress in 2021 in a published report, but in September 2021, Volexity started noticing usage of earlier unreported Malware strain, in the past year. Volexity has looked over various cybersecurity cases which involve SharpTongue and in most of the incidents, hackers use a malicious Microsoft Edge or Google Chrome extension known as "SHARPEXT."
Contrary to other extensions in use by the Kimsuky APT group, SHARPEXT doesn't steal passwords or usernames, however, it accesses the target's webmail account while they're browsing it. The present version of the extension backs three browsers and is capable of stealing the contents of e-mails from AOL webmail and Gmail accounts.
The report analysis says that SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome.
The current variant 3.0 supports three browsers:
The attack chain begins with hackers manually extracting files required to install extensions from the malicious workstation. After a breach of the victim's Windows system, the hackers change the web browser's Preferences and Secure Preferences.
After that, hackers manually deploy SHARPEXT via a VBS script and enable the DevTools panel in the active tab to keep surveillance on the email contents and steal file attachments from the target's mail account. This is done via PowerShell script, hackers also conceal warning messages running developer mode extensions.
Security Affairs report, "experts pointed out that this is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session makes this attack stealthy and hard to be detected by the email provider. The researchers shared the YARA rules to detect these attacks and Indicators of Compromise (IOCs) for this threat."
North Korea faced an internet shutdown, and experts suspect cyber-attacks are the main reason. The internet outage remained for six hours in the country on Wednesday last week during local morning time. It is the second incident causing internet outages in North Korea in the past two weeks. Cybersecurity expert Junaid Ali from Britain says the recent outage may be due to a denial-of-service (DDoS) attack.
The Federal Bureau of Investigation (FBI) jointly with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, released an advisory on North Korea's cyber-threat to cryptocurrency and on suggestions for mitigating.
North Korea is excelling in a field of cybercrime with each passing day despite the tight economic sanctions levied by the United Nations and the United States of America in 2006 to prevent North Korea of the necessary funds for its nuclear program. North Korea has boosted its cyber capabilities by exploiting digital susceptibilities across the globe.
This week, ESTsecurity Security Response Center (ESRC) gave an account of a North Korean hacking group altering a private stock investment messaging application to deliver malevolent code. The gathering known as Thallium delivered a Windows executable utilizing Nullsoft Scriptable Install System (NSIS), a famous script-driven installer authoring tool for Microsoft Windows. This North Korean hacking group Thallium, colloquially known as APT37 has targeted clients of a private stock investment courier service in a software supply chain attack, as indicated by a report distributed recently. Not long ago, the group essentially depended on phishing assaults, for example, using Microsoft Office records, to focus on its victims. Thallium is presently utilizing different ways, for instance, transporting infected Windows installers and macro-laden Office records to go after investors.