Changpeng Zhao, the chief executive officer of Binance (the top crypto exchange), turned to his account on Twitter, cautioning about the latest type of hack influencing the crypto world. The hack is performed by a malicious actor, one with extensive knowledge regarding the industry of crypto assets. The CEO advised the consumers that they should not download files.
Changpeng Zhao Advises Consumers Not to Download Files as They Might Take Away Crypto Funds
Zhao then elaborated that the customers may get a file, which might be offered by some friend, that could compromise the system of the person receiving it. As per Binance CEO, the fried offering might have already been victimized by the respective Excel file. The name of the file is “exchange fee comparision.xls.” The respective file comprises a corrupt code, apart from the rest of the threats, and affects the crypto funds.
Zhao cited a blog post shared by Microsoft Security Threat Intelligence to discuss the targeted potential attacks against the entities related to crypto. In that blog post, the publishing company mentioned that crypto-related attacks have evolved with time and now they come in several forms such as info stealers’ use, fake applications, vulnerability exploitation, and fraud. According to the tech platform, the target of the attackers is to grab crypto funds.
Microsoft Security Threat Intelligence Unveils Another Crypto-Threatening File Type
The report disclosed that some unique tactics are also used by the attackers and one such attempt was disclosed. As per the report, a hacker – identified by the company as DEV-0139 (a provisional name specified for an anonymous cluster of some threat activity before the complete identification) – also initiated their malicious operations via chat groups based on Telegram.
After getting into the respective chat groups, the attacker targeted the crypto exchanges by disguising itself as the investment entities facilitating interaction between them and their VIP consumers. While doing this, the hacker specified one of the group members as their target. This took place in October 2022 when the bad actor requested the target to come to a separate group.
The hacker pretended to take feedback from the target on the fee structure that the exchanges normally use. While the attacker had substantial knowledge of the crypto industry, they shared an Excel file that was weaponized to fulfill their malicious purposes. In that file, the names of the well-known exchange companies were noted while “OKX Binance & Huobi VIP fee comparision.xls” was its name.
That file comprised many tables containing fee structures of diverse exchanges. To enhance their credibility, the attacker provided potentially very accurate data in that file. The weaponized file begins several operations. As the report puts it, it initiates a macro (a command or a series of commands which can be executed frequently according to the requirement. A macro, when it is created, records the keystrokes and mouse clicks.
The weaponized file, in the latest hack, obfuscates particular relevant codes as well as recovers some targeted data. The file places a separate Excel sheet into the system and opens that undetectably. Subsequently, a PNG file – which encompasses 3 executable files – is downloaded by the malicious Excel file. One of those executables is an encoded backdoor, one is an executable file’s malicious version, and one is an original Windows file.
The report moved on to mention that some other such file has also been found by the agency. That file also utilizes an analogous mechanism, but it is not contained in an Excel file. Rather, it comes in a package of MSI (Microsoft Software Installer) for an application of CryptoDashboardV2.