DEV-0139 launches targeted attacks against the cryptocurrency industry | Microsoft Security Blog

MITRE Techniques

• [T1591] Gather Victim Org Information – The attackers gathered information about the targets reaching them on Telegram with a clear understanding of their challenges. “The threat actor…identified their target from among the members.”
• [T1593.001] Social Media – Attackers identified the targets on specific crypto currencies group on Telegram. “Attackers identified the targets on Telegram.”
• [T1583.001] Acquire Infrastructure: Domains – Attackers registered the domain “strainservice.com” on June 18.
• [T1566.001] Initial Access – Spearphishing Attachment – Attackers sent a weaponized Excel document. “The weaponized Excel file initiates the following series of activities.”
• [T1204.002] User Execution: Malicious File – The target must open the weaponized Excel document and enable macros.
• [T1059.005] Command and Scripting Interpreter: Visual Basic – Attackers used VBA in the malicious Excel document to deliver the implant.
• [T1106] Native API – Usage of CreateProcess API in the Excel document to run the executable.
• [T1574.002] DLL side-loading – The attackers abused the legitimate Logagent.exe to side-load wsock32.dll and TPLink.exe to side-load Duser.dll.
• [T1027] Obfuscated file or information – The malicious VBA is obfuscated using UserForm to hide variable and data.
• [T1036.005] Masquerading: Match Legitimate Name or Location – The attackers use legitimate DLL names that act as DLL proxies (wsock32.dll, Duser.dll).
• [T1027.009] Obfuscated Files or Information: Embedded Payloads – The malicious DLLs drop the implant into the machine.
• [T1071.001] Application Layer Protocol: Web Protocols – The implant communicates to the remote domain through port 80 or 443.
• [T1132] Data Encoding – The implant encodes data exchanged with the C2.
• [T1041] Exfiltration over C2 channel – The implant has the ability to exfiltrate information.