Binance, a prominent cryptocurrency exchange, is being targeted by a new form of hack, which is being carried out by a “threat actor [with] deep understanding of the cryptocurrency business,” according to the CEO of Binance, Changpeng ‘CZ’ Zhao, who went to Twitter to issue a warning about the attack.
“Don’t download files!”, said CZ on Tuesday.
He went on to explain that users may receive a file from a friend, but that that friend may have already been compromised. This person may share “a weaponized Excel file” with the name “exchange fee comparision.xls”, which contains a malicious code, among other threats, targeting crypto funds.
CZ referred to a Microsoft Security Threat Intelligence blog post published this Tuesday, which discusses “targeted attacks against the cryptocurrency industry.”
In the blog post, it is stated that due to the rise of the cryptocurrency market over the course of the past several years, it has not only attracted the attention of investors, but also of threat actors, who directly target organizations within the cryptocurrency industry for the purpose of financial gain. This is because threat actors are interested in gaining control of the cryptocurrency market.
It was discovered that,
“Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.”
You can’t put your faith in your buddies.
According to the study, innovative strategies are also in the process of being developed; one of these strategies was used by a threat actor designated as DEV-0139 (a designation as a temporary name given to an unknown cluster of threat activity until they are identified and named).
“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” said the report.
DEV-0139 joined chat groups on Telegram with the intention of attacking cryptocurrency investment companies. They then determined who their target was among the members of the group after acting as a communication facilitator between VIP clients and cryptocurrency exchanges.
The threat actor pretended to be representatives of another cryptocurrency investment company and, in October 2022, invited the target to a different chat group where they pretended to ask for feedback on the fee structure used by exchanges. In this chat group, the threat actor pretended to ask for feedback on the fee structure used by exchanges.
“The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have,” the team said.
However, after gaining the target’s trust, DEV-0139 sent a weaponized Excel file that included names of major exchanges, titled ‘OKX Binance & Huobi VIP fee comparision.xls’, which contained several tables about fee structures among exchanges. Notably, “the data in the document was likely accurate to increase their credibility.”
The assault on…
According to the research, the weaponized Excel file causes a chain reaction of events to occur. When users construct a macro, mouse clicks and keystrokes are recorded. A macro may be an action or a series of actions that can be recorded and performed an unlimited number of times and as often as required.
This exploit makes use of a malicious macro that is stored inside the file. Its purpose is to obtain certain data and hide some important codes. After that, it will place an additional Excel sheet in the directory C:ProgramDataMicrosoft Media and run it in stealth mode. The file will then download a PNG file that contains three executables: a valid Windows file, a malicious version of an executable file, and a backdoor that is encoded.
When used together, these factors “enable the threat actor to remotely access the compromised machine.”
According to the study, the team found another another file that makes use of a similar approach; however, rather than being given in a malicious Excel file, it is provided in an MSI (Microsoft Software Installer) package for a CryptoDashboardV2 program that has a date stamp of June 2022.
“This may suggest other related campaigns are also run by the same threat actor, using the same techniques,” it said.
How to protect and defend oneself
According to the report, DEV-0139 possesses “a broad knowledge of the cryptocurrency industry,” and the possibility exists that large as well as small businesses could become targets.
According to what they said, the security considerations that were suggested could help mitigate the effects of the methods used by the threat actor. Despite the fact that these are guidelines for businesses, any person may adopt the following precautions in order to safeguard themselves:
You may manage which macros execute and under what conditions when you open a worksheet by modifying the Excel macro security settings;
activate attack surface reduction rules in order to protect yourself from the common assault strategies described above;
certify that your copy of Microsoft Defender Antivirus is up-to-date and that real-time monitoring is turned on;
Make use of the accompanying signs of compromise to determine whether or not they already exist in your environment and to evaluate the risk of possible incursion;
Educate end users on how to protect their personal and business information while using social media, how to filter unsolicited communication, how to recognize lures in spear-phishing emails and watering holes, and how to report reconnaissance attempts and other suspicious activity;
Informing end users about how to avoid becoming infected with malware, such as by ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks, is an important preventative measure.
Encourage end users to engage in credential hygiene practices and check that the Microsoft Defender Firewall is constantly active on their computers.
Compiled by Coinbold
