Microsoft uncovers new threat to digital asset funds from Lazarus Group

Microsoft and cybersecurity firm Volexity have discovered a new threat facing virtual currency investors using malware embedded in an Excel document.

The bad actor, which Microsoft dubbed DEV-0139, has been linked to the notorious North Korean hacking gang Lazarus Group using a variant of malware known as AppleJeus and Microsoft installer (MSI). Microsoft confirms that the latest threat is a testament to the levels of sophistication attained by the bad actors in recent months.

“Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds,” the Microsoft’s statement read. “We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads.”

According to the report, the latest threat saw the hackers target digital asset investment companies on Telegram by joining investment groups on the chat platforms. Posing as another investment company, the hackers invited targets to another chat group while asking for feedback on the fee structure used by digital asset trading companies.

Using superior industry knowledge, the bad actors gained the victims’ trust and sent an Excel file named “OKX Binance & Huobi VIP fee comparision.xls” containing tables on the fee structure of the exchanges. However, the excel document serves as a trojan horse containing a malicious macro that launches an array of malware into the victim’s systems when opened.

Microsoft’s report warned digital asset investment funds to remain wary of unsolicited communication on social media platforms and promote the habit of deleting unexpected emails. Other preventive measures include ensuring that Microsoft Defender Antivirus is running and that end users should imbibe good credential hygiene by ensuring that Microsoft Defender Firewall is deployed.

Lazarus group is at the center of it all

North Korean hacking group Lazarus has been fingered as the brains behind the new scheme, given their antecedents. Cybersecurity firm Volexity noted that the state-sponsored group had previously used a variant of the malware.

Kaspersky Labs was the first to raise the alarm over the use of the variant back in 2020, while the U.S. Federal Cybersecurity and Infrastructure Security Agency documented it in 2021 following a string of attacks in energy, finance, and telecommunications in European Union countries.

Lazarus has been linked to several dastardly attacks in the digital asset industry, including the $625 million Axie Infinity hack and several attacks on Japanese exchanges.

Watch: The BSV Global Blockchain Convention presentation, Sentinel Node: Blockchain Tools to Improve Cybersecurity