A close-up view of the Telegram messaging app is seen on a smart phone on May 25, 2017 in London, England. SafeGuard Cyber Division Seven (D7) threat intelligence team located and confirmed an instance where a company’s employees had been targeted in a previously-known cryptocurrency impersonation scheme as far back as July 2022. (Photo by Carl Court/Getty Images)
A month after Microsoft revealed that a threat actor was targeting using Telegram to connect with cryptocurrency VIPs and infect them with malware, another firm has found additional evidence of malicious actors using tactics to impersonate legitimate actors in the cryptocurrency space.
DEV-0139, a threat actor identified by Microsoft Security in December last year, took advantage of Telegram group chats to attack cryptocurrency investment companies. Following Microsoft’s report, a cryptocurrency firm hired SafeGuard Cyber to help them investigate whether they have been targeted by DEV-0139.
SafeGuard Cyber Division Seven (D7) threat intelligence team then located and confirmed an instance where the company’s employees had been targeted as far back as July 2022 with the same malicious files that DEV-0139 had sent out.
“The D7 team identified the same [tactics, techniques, and procedures] that Microsoft had observed and linked to DEV-0139,” said Steven Spadaccini, VP of threat intelligence at SafeGuard Cyber.
According to Microsoft’s Dec. 6 research, DEV-0139 used Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange platforms, identifying their targets among the members. After building connections and winning the targets’ trust, the threat actor sent out malware-laced Excel files disguised as surveys of fee structures among cryptocurrency exchange companies. The actors behind the campaign have sometimes demonstrated detailed knowledge of the cryptocurrency space and its players. In this particular case, SafeGuard Cyber said that the threat actor actually impersonated a known employee of the client organization in order to gain trust before asking them to open a malicious macro file disguised as a form about fee structures. SafeGuard researchers said they while the individual made surface-level changes to their Telegram profile and photo to carry out the scheme, their metadata clearly identified them as an impersonator.
However, despite following the same pattern as DEV-0139, Spadaccini told SC Media that his team has not attached attribution to any specific groups.
“The TTPs seem to be indicative of the aforementioned group and/or other bad actors,” he noted.
“The result of this analysis is that a compliance customer has enabled deeper security detections for monitored Telegram users,” the research concluded. “This move is part of a larger trend we have observed over the course of 2022, a greater convergence of security and compliance functions in financial services to address overall business communication risks.”
Despite the crypto winter, Telegram announced in December last year that it will build a set of decentralized tools for millions of people, including non-custodial wallets and decentralized exchange.
January 4, 2023
Steve ZurierJanuary 9, 2023
New Trend Micro subsidiary will work with enterprises to address the challenges companies face when 5G communications bypass existing network infrastructure.
Derek B. JohnsonJanuary 6, 2023
Underground hacking forums are already awash in real-world examples of cybercriminals attempting to use ChatGPT for malicious purposes.
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.
Related Posts
