Threat actors have been directly targeting cryptocurrency investment companies using Telegram chat groups. 

According to a new blog from Microsoft, a hacking group being tracked under the designation DEV-0139 has been using Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange platforms, drawing their targets from among the members.  

“The threat actor posed the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms,” Microsoft explained. “[They] had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.”  

After building connections and winning the trust of the target, DEV-0139 sent out a malware-laced Excel file that included tables about fee structures among cryptocurrency exchange companies.  

According to Microsoft, the group provided likely accurate data in the document to further increase their credibility. But once executed, the malicious file would compromise the victim’s machine, ultimately installing a backdoor to remotely access the system.  

Microsoft noted that an investigation showed that there may be other related campaigns being run by the same threat actor using the same techniques. 

“Further investigation through our telemetry led to the discovery of another file that uses the same dynamic link library (DLL) proxying technique. But instead of a malicious Excel file, it is delivered in a Microsoft installer (MSI) package,” the post read.  

To defend against the attack, Microsoft recommended that organizations use the included indicators of compromise to identify whether the threat actor is in the environment and assess for potential intrusion. Organizations can also change Excel macro security settings and turn on attack surface reduction rules to further manage the risk while educating end users about security risks.  

“The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success,” Microsoft said. “While the biggest companies can be targeted, smaller companies can also be the targets of interest.”