Research confirms threat actor impersonating cryptocurrency firm on … – SC Media
A close-up view of the Telegram messaging app is seen on a smart phone on May 25, 2017 in London, England. SafeGuard Cyber Division Seven (D7) threat intelligence team located and confirmed an instance where a company’s employees had been targeted in a previously-known cryptocurrency impersonation scheme as far back as July 2022. (Photo by Carl Court/Getty Images)
A month after Microsoft revealed that a threat actor was targeting using Telegram to connect with cryptocurrency VIPs and infect them with malware, another firm has found additional evidence of malicious actors using tactics to impersonate legitimate actors in the cryptocurrency space.
DEV-0139, a threat actor identified by Microsoft Security in December last year, took advantage of Telegram group chats to attack cryptocurrency investment companies. Following Microsoft’s report, a cryptocurrency firm hired SafeGuard Cyber to help them investigate whether they have been targeted by DEV-0139.
SafeGuard Cyber Division Seven (D7) threat intelligence team then located and confirmed an instance where the company’s employees had been targeted as far back as July 2022 with the same malicious files that DEV-0139 had sent out.
“The D7 team identified the same [tactics, techniques, and procedures] that Microsoft had observed and linked to DEV-0139,” said Steven Spadaccini, VP of threat intelligence at SafeGuard Cyber.
According to Microsoft’s Dec. 6 research, DEV-0139 used Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange platforms, identifying their targets among the members. After building connections and winning the targets’ trust, the threat actor sent out malware-laced Excel files disguised as surveys of fee structures among cryptocurrency exchange companies. The actors behind the campaign have sometimes demonstrated detailed knowledge of the cryptocurrency space and its players. In this particular case, SafeGuard Cyber said that the threat actor actually impersonated a known employee of the client organization in order to gain trust before asking them to open a malicious macro file disguised as a form about fee structures. SafeGuard researchers said they while the individual made surface-level changes to their Telegram profile and photo to carry out the scheme, their metadata clearly identified them as an impersonator.
However, despite following the same pattern as DEV-0139, Spadaccini told SC Media that his team has not attached attribution to any specific groups.
“The TTPs seem to be indicative of the aforementioned group and/or other bad actors,” he noted.
“The result of this analysis is that a compliance customer has enabled deeper security detections for monitored Telegram users,” the research concluded. “This move is part of a larger trend we have observed over the course of 2022, a greater convergence of security and compliance functions in financial services to address overall business communication risks.”
Despite the crypto winter, Telegram announced in December last year that it will build a set of decentralized tools for millions of people, including non-custodial wallets and decentralized exchange.
Security analysts say the SecureAuth patents are a step in the right direction for having the industry move off of passwords and MFA, which many consider open to phishing.
Companies should continue embracing change by implementing modern technology designed to support their digital transformation efforts, says SolarWinds’ Rohini Kasturi in this commentary.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.