A month after Microsoft revealed that a threat actor was targeting using Telegram to connect with cryptocurrency VIPs and infect them with malware, another firm has found additional evidence of malicious actors using tactics to impersonate legitimate actors in the cryptocurrency space.
DEV-0139, a threat actor identified by Microsoft Security in December last year, took advantage of Telegram group chats to attack cryptocurrency investment companies. Following Microsoft’s report, a cryptocurrency firm hired SafeGuard Cyber to help them investigate whether they have been targeted by DEV-0139.
SafeGuard Cyber Division Seven (D7) threat intelligence team then located and confirmed an instance where the company’s employees had been targeted as far back as July 2022 with the same malicious files that DEV-0139 had sent out.
“The D7 team identified the same [tactics, techniques, and procedures] that Microsoft had observed and linked to DEV-0139,” said Steven Spadaccini, VP of threat intelligence at SafeGuard Cyber.
According to Microsoft’s Dec. 6 research, DEV-0139 used Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange platforms, identifying their targets among the members. After building connections and winning the targets’ trust, the threat actor sent out malware-laced Excel files disguised as surveys of fee structures among cryptocurrency exchange companies. The actors behind the campaign have sometimes demonstrated detailed knowledge of the cryptocurrency space and its players. In this particular case, SafeGuard Cyber said that the threat actor actually impersonated a known employee of the client organization in order to gain trust before asking them to open a malicious macro file disguised as a form about fee structures. SafeGuard researchers said they while the individual made surface-level changes to their Telegram profile and photo to carry out the scheme, their metadata clearly identified them as an impersonator.
However, despite following the same pattern as DEV-0139, Spadaccini told SC Media that his team has not attached attribution to any specific groups.
“The TTPs seem to be indicative of the aforementioned group and/or other bad actors,” he noted.
“The result of this analysis is that a compliance customer has enabled deeper security detections for monitored Telegram users,” the research concluded. “This move is part of a larger trend we have observed over the course of 2022, a greater convergence of security and compliance functions in financial services to address overall business communication risks.”
Despite the crypto winter, Telegram announced in December last year that it will build a set of decentralized tools for millions of people, including non-custodial wallets and decentralized exchange.