Microsoft DEV-0139 Tackles Cryptocurrency Market with Precision

Microsoft DEV-0139 Tackles Crypto Market

The danger is a product of a pattern of sophisticated attacks. According to a blog post by Microsoft on December 6, the threat actor in this instance joined Telegram channels used to enable contact between VIP clients and cryptocurrency exchange networks while falsely posing as OKX staff.

The target was requested to join a new organization in October, after which they were allowed to comment on an Excel document that contrasted the VIP payment systems for OKX, Binance, and Huobi. The paper delivered precise details and a high level of understanding of the realities of cryptocurrency trading. However, it also covertly sideloaded a malicious.dll (Dynamic Link Library) file to open a gateway into the user's PC. After that, during the negotiation of fees, the target was requested to open the.dll file by themselves.

Use of AppleJeus and MSI

According to Microsoft, the malicious attacker was the same as the one discovered in June using.dll files for related reasons and was likely responsible for other cases. When employing the AppleJeus malware version and an MSI (Microsoft installer), DEV-0139 is the same actor that the cybersecurity company Volexity linked to North Korea's state-sponsored Lazarus Group.