Microsoft warns of inventive crypto fraudsters

Microsoft reported that malicious sites are becoming more sophisticated each day. According to a new report, Telegram chat groups are being used to target cryptocurrency investment companies. The tech giant has identified an attacker, DEV-0139, who infiltrated Telegram groups posing as a representative of the crypto platform.

Targeted attacks on cryptocurrencies

A report published by the Microsoft Security Threat Intelligence team says the attackers have strong knowledge of the crypto investment industry and have invited at least one targeted audience (posing as representatives of other crypto asset management firms) to another Telegram group. The main goal was to engage and discuss a relevant topic in order to gain the trust of the target audience.

The attackers sent them malware-filled Excel spreadsheets that contained well-crafted information that confirmed the legitimacy of their offer. Once opened, the infected Excel file allows the use of macros, and a second worksheet embedded in the file will download and analyze the PNG file to extract a malicious DLL, an XOR-encoded backdoor and a legitimate Windows executable, which is then used to load a DLL that decrypts and loads the backdoor. Essentially, this will give the attacker remote access to the victim's compromised computer

The report concluded: “The cryptocurrency market remains an area of interest for attackers. Target users are identified through a trusted channel to increase their chances of success. Attackers' targets include large companies and individual users.”

The current cryptocurrency fraud scenery

According to a recent study by Privacy Affairs, a cybersecurity and data privacy firm, the value of cryptocurrency intercepted by attackers in the first 11 months of the year rose 37% to $4.3 billion. Of the 11 largest cryptocurrency scams committed in 2022, the Privacy Office said the top five were the FTX breach, the Ronin Network Axie Infinity attack in March ($615 million), the Wormhole crypto bridge hack in February ($320 million), the JuicyFields. io scam in July ($273 million) and others.