Hackers targeted the crypto industry by using Telegram
Microsoft’s Security Team Says A Hacker Has Sent An Excel File To Traders In The Crypto Industry Via Telegram, Which Contains Malicious Code.
According to Microsoft’s warning statement, a hacker named DEV-0139 has targeted wealthy traders using Telegram chat groups. This is the latest example of hacker attacks focusing on the crypto industry.
The fees that crypto exchanges charge for each transaction are a big deal for hedge funds and wealthy traders. These fees put a cost on traders and should be optimized to reduce their impact on profits. A hacker or a group of hackers have tried to attract victims’ attention by focusing on this issue.
DEV-0139 joined several Telegram groups where wealthy clients and representatives of well-known crypto exchanges were present to communicate with them. DEV-0139 selected its targets from among the members of these groups. Microsoft says OKX, Huobi, and Binance exchanges are targeted. The CEO of Binance has reacted to this story in a tweet.
The hacker posed as an employee of the exchange and invited the victim to join another Telegram group, claiming that he wanted feedback on the structure of the fee system of various businesses.
The hacker then arranged a conversation with the victim based on his knowledge of the crypto industry to gain his trust. DEV-0139 sent the victim an Excel file called exchange fee comparison.xls, which contained detailed information about the fee structure of crypto exchanges to increase its credibility in front of the victim.
The Excel above file was doing activities secretly, including using a malicious program to recover data and create another Excel sheet. The second page ran in stealth mode and downloaded an image file that consisted of three executables: an official Windows file, a malicious version of a DLL file, and an XOR-encoded backdoor.
A DLL file is a library containing code and data that can be used by multiple applications simultaneously. Also, XOR is a cryptographic solution used to secure data and is difficult to crack through brute force. DEV-0139 likely launched other attacks using similar techniques, Microsoft said in its statement.