According to Microsoft, a threat actor has been found to be focusing on crypto investment start-ups.

In order to remotely access systems, a party Microsoft has identified as DEV-0139 pretended to be a cryptocurrency investment firm on Telegram and used an Excel file weaponized with "well-crafted" malware.

"We are [...] seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target's trust before deploying payloads," Microsoft explained.

The danger is part of a growing trend of very sophisticated attacks. In this example, the threat actor joined Telegram groups "used to facilitate communication between VIP clients and cryptocurrency exchange platforms," according to a blog post published by Microsoft on Dec. 6.

It's worth mentioning that the threat actor appears to be well-versed in the crypto business as well as the issues that the targeted company may face. The threat actor inquired about fee structures, which are the trading costs charged by cryptocurrency exchange platforms.

The target was requested to join a new group and then provided with an Excel document that contrasted the VIP fee structures for OKX, Binance, and Huobi. A malicious.dll (Dynamic Link Library) software was secretly sideloaded into the user's machine along with accurate information and a high level of awareness about the reality of cryptocurrency trading. During the discussion of fees, the target was then instructed to open the.dll file.

The assault technique is well-known. Microsoft said that the threat actor was the same as the one detected in June using.dll files for comparable purposes and was most likely responsible for further occurrences.

DEV-0139, according to Microsoft, is the same attacker linked to North Korea's state-sponsored Lazarus Group using a malware variant known as AppleJeus and an MSI (Microsoft installer).

AppleJeus was documented by the U.S. Federal Cybersecurity and Infrastructure Security Agency in 2021, and Kaspersky Labs reported on it in 2020.

This was the first time Lazarus has targeted macOS users, with the organization creating a bogus company to deliver their modified application and take advantage of potential victims' high degree of trust.

The Lazarus group created its own macOS virus to target people and incorporated an authentication system to carefully deliver the next stage payload as well as loading the next stage payload without accessing the disk.

Additionally, they developed a multi-stage infection process and dramatically altered the final payload in order to attack Windows users.