Social Engineering Hackers Use Excel to Target Crypto VIPsCampaign May Originate From North Korean Group Infamous for Social Engineering
A threat actor, possibly North Korea's Lazarus Group, is luring high-volume traders in Telegram cryptocurrency chat groups into installing backdoors supposedly by asking for their feedback on trading platform fee structures.
Pyongyang state-backed hackers increasingly specialize in cryptocurrency theft as the regime seeks sources of hard currency to fuel its program of weapons of mass destruction. A United Nations panel in 2019 estimated cybercrime netted the hereditary Juche monarchy about $2 billion, an amount that has only grown since then.
Researchers from Microsoft and digital forensics firm Volexity each say they've spotted the campaign, which manipulates victims into opening an Excel spreadsheet loaded with malicious macros. Volexity connects the campaign to Lazarus Group while Microsoft designates the threat actor as DEV-0139, using nomenclature it reserves for unknown or emerging clusters of threat activity. The computing giant tracks known Lazarus activity under the "Zinc" moniker.
Lazarus is infamous for using social engineering tactics as an initial access vector, resorting to techniques such as posting fake LinkedIn profiles ads to lure users into downloading malicious payloads (see: North Korea Trojanizing Open-Source Software).
Volexity's write-up identifies the backdoor loaded by the campaign as AppleJeus malware, a malicious application the U.S. federal government says North Korean hackers have used since at least 2018 to steal cryptocurrency.
Microsoft traces the campaign activity to Telegram groups used to facilitate communication between VIP clients and cryptocurrency platforms and says the threat actor engineers targeted victims into opening an infected Excel file by soliciting their opinion on trading fee structures. Telegram has emerged as a default communication hub for cryptocurrency traders - "the bedrock of the crypto community," as one person described it earlier this year to TechCrunch.
The spreadsheet appears to contain legitimate data on fees charged by platforms to users. Cryptocurrency trading platforms offer frequent traders discounts on fees, whose costs and lack of transparency are the source of long-running complaints in the cryptocurrency community.
The threat actor encourages victims to enable file macros by password-protecting the main sheet and supplying them with the passphrase, which is "dragon."
Microsoft says the weaponized Excel file executes an obfuscated macro that extracts a second spreadsheet, which in turn runs a macro that opens a
png file from a cloud storage account.
Embedded in the
png file are three executables, including an encoded backdoor. One of the files,
logagent.exe, sideloads a malicious
wsock32.dll, which proxies through the legitimate
wsock32.dll to decode and run the backdoor.
wsock32.dll, or Windows Socket 32-Bit DLL, is an essential component in an operating system that ensures Windows programs operate properly, and
logagent.exe is a system application used to log errors from Windows Media Player and send the information for troubleshooting.