Security Program Controls/Technologies, Leadership

Microsoft says hackers are using Telegram to connect with, hack VIPs at cryptocurrency companies

A Bitcoin ATM is seen at the Clark Street subway station on June 13, 2022 in the Brooklyn Heights neighborhood of Brooklyn in New York City. According to a new blog post from Microsoft, a hacking group being tracked under the designation DEV-0139 has been using Telegram groups to facilitate communication between VIP clients and cryptocurrency excha...

Threat actors have been directly targeting cryptocurrency investment companies using Telegram chat groups. 

According to a new blog from Microsoft, a hacking group being tracked under the designation DEV-0139 has been using Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange platforms, drawing their targets from among the members.  

“The threat actor posed the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms,” Microsoft explained. “[They] had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.”  

After building connections and winning the trust of the target, DEV-0139 sent out a malware-laced Excel file that included tables about fee structures among cryptocurrency exchange companies.  

According to Microsoft, the group provided likely accurate data in the document to further increase their credibility. But once executed, the malicious file would compromise the victim’s machine, ultimately installing a backdoor to remotely access the system.  

Microsoft noted that an investigation showed that there may be other related campaigns being run by the same threat actor using the same techniques. 

“Further investigation through our telemetry led to the discovery of another file that uses the same dynamic link library (DLL) proxying technique. But instead of a malicious Excel file, it is delivered in a Microsoft installer (MSI) package,” the post read.  

To defend against the attack, Microsoft recommended that organizations use the included indicators of compromise to identify whether the threat actor is in the environment and assess for potential intrusion. Organizations can also change Excel macro security settings and turn on attack surface reduction rules to further manage the risk while educating end users about security risks.  

“The cryptocurrency market remains a field of interest for threat actors. Targeted users are identified through trusted channels to increase the chance of success,” Microsoft said. “While the biggest companies can be targeted, smaller companies can also be the targets of interest.”  

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.