A month after Microsoft revealed that a threat actor was targeting using Telegram to connect with cryptocurrency VIPs and infect them with malware, another firm has found additional evidence of malicious actors using tactics to impersonate legitimate actors in the cryptocurrency space.
DEV-0139, a threat actor identified by Microsoft Security in December last year, took advantage of Telegram group chats to attack cryptocurrency investment companies. Following Microsoft’s report, a cryptocurrency firm hired SafeGuard Cyber to help them investigate whether they have been targeted by DEV-0139.
SafeGuard Cyber Division Seven (D7) threat intelligence team then located and confirmed an instance where the company’s employees had been targeted as far back as July 2022 with the same malicious files that DEV-0139 had sent out.
“The D7 team identified the same [tactics, techniques, and procedures] that Microsoft had observed and linked to DEV-0139,” said Steven Spadaccini, VP of threat intelligence at SafeGuard Cyber.
According to Microsoft’s Dec. 6 research, DEV-0139 used Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange platforms, identifying their targets among the members. After building connections and winning the targets’ trust, the threat actor sent out malware-laced Excel files disguised as surveys of fee structures among cryptocurrency exchange companies. The actors behind the campaign have sometimes demonstrated detailed knowledge of the cryptocurrency space and its players. In this particular case, SafeGuard Cyber said that the threat actor actually impersonated a known employee of the client organization in order to gain trust before asking them to