"Social Engineering Hackers Use Excel to Target Crypto VIPs"

North Korea's Lazarus Group is suspected of luring high-volume traders in cryptocurrency chat groups on Telegram into installing backdoors by asking for feedback on trading platform fee structures. Microsoft researchers and the digital forensics firm Volexity both have discovered the campaign, which tricks victims into opening an Excel spreadsheet containing malicious macros. Volexity associates the campaign with the Lazarus Group, while Microsoft identifies the threat actor as DEV-0139, a designation reserved for unknown or emerging clusters of threat activity. Microsoft monitors known Lazarus activity under the moniker "Zinc." Lazarus is known for using social engineering techniques as an initial access vector, such as posting fake LinkedIn profile ads to trick users into downloading malicious payloads. Volexity identified the campaign's backdoor as AppleJeus malware, a malicious application that the US federal government says North Korean hackers have been using to steal cryptocurrency since at least 2018. Microsoft attributes the campaign's activity to Telegram groups used to facilitate communication between VIP clients and cryptocurrency platforms, and says that the threat actor engineers tricked victims into opening an infected Excel file by soliciting comments on trading fee structures. Telegram has emerged as the preferred communication platform for cryptocurrency traders. The spreadsheet contains legitimate data on platform fees charged to users. By password-protecting the main sheet and providing the passphrase "dragon," the threat actor encourages victims to enable file macros. According to Microsoft, the weaponized Excel file runs an obfuscated macro that extracts a second spreadsheet, which then runs a macro that opens a PNG file from a cloud storage account. Three executables, including an encoded backdoor, are embedded in the PNG file. One of the files includes a malicious Dynamic Link Library (DLL) file that proxies through the legitimate DLL to decode and run the backdoor. This article continues to discuss the malicious campaign tricking high-volume traders into installing AppleJeus malware.  

GovInfoSecurity reports "Social Engineering Hackers Use Excel to Target Crypto VIPs"