The blockchain industry is undergoing a massive expansion, especially when it comes to cryptocurrencies and the use cases to these connected. Among others, some of these are connected to criminal activities such as payments for ransomware attacks, frauds, vulnerability exploitations and fake applications. Due to the just-ended bull market, more hackers put their eyes on this market, which made the amount of money lost due to cyberattacks rise to more than $3billion only in 2022 (Article: The Increasing Trend In Hacks During 2022).
Hacks are implemented in many different ways, including leveraging Telegram chat groups to target cryptocurrency investment companies like the one we’re discussing in this article. An investigation from Microsoft allowed the company to track the malicious intentions of DEV-0139 (the in-code name Microsoft gave to the hacker) and how he managed to perform a particularly clever attack. The hacker accurately impersonated himself as the representatives of a cryptocurrency investment company and, in October 2022, invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms.
The hacker leveraged his deep knowledge of this industry to gain the target’s trust, to then send him a weaponized Excel file named “OKX Binance & Huobi VIP fee comparison.xls” which contained several tables about fee structures among different cryptocurrency exchanges. In order to don’t create any suspect, the data in the document was likely to be accurate.
This weaponized document, once downloaded, was set to accomplish different actions:
- A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data
- The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
- The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor
- The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system
Further investigation through Microsoft’s telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.
This article wants to show and explain the details uncovered and the dynamics of the attack performed against a cryptocurrency investment company.
INITIAL COMPROMISE
The whole attack started with the impersonation of employees of the company OKX and the creation of a Telegram group where he then invited three employees of the targeted company.
The actor decided to leverage a very compelling topic for cryptocurrency investment companies: fees charged by exchanges. This is particularly interesting as it represents an important cost as it comes with every trade performed.
Once the trust of the targeted individuals is gained, the hacker sent them the above-mentioned Excel file.
WEAPONIZED EXCEL FILE ANALYSIS
The weaponized document contains legitimate information in order to not create any suspect while reading it, therefore jeopardizing the whole plan. The following are the general information about the document. 
The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code IFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to retrieve the information stored into the UserForm.
The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory C:\ProgramData\Microsoft Media as VSDB688.tmp and runs in invisible mode.
Additionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.
EXTRACTED WORKSHEET
The second Excel file, VSDB688.tmp (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:
The table below shows the deobfuscated data retrieved from the UserForm:
The macro retrieves some parameters from the UserForm then downloads a PNG file from hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png. The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.
The PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version of wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.
LOADER ANALYSIS
Two of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.
LOGAGENT.EXE
Logagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.
The file contains the following metadata, but it is not signed:
The logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously retrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by wsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and /shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.
WSOCK32.dll
The legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts as a proxy between logagent.exe and the legitimate wsock32.dll.
It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:
When the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the CreateFile API to retrieve a file handle.
The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.
Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.
RELATED ATTACK
Microsoft identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is packaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called tplink.exe to sideload the malicious DLL called DUser.dlland uses DLL proxying as well.
Once the package is installed, it runs and side-loads the DLL using the following command: C:\Users\user\AppData\Roaming\Dashboard_v2\TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it noticeably uses a different GUID.
Further analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the maliciouswsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of DUser.dll:
Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.
IMPLANT ANALYSIS
The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:
First, the sample retrieves some information from the targeted system. It can connect back to a remote server and receive commands from it.
INFRASTRUCTURE
The threat actor abused OpenDrive in one of the variants to deliver the payload. The OpenDrive account has been set up specifically for this purpose.
Microsoft identified one domain used as C3 servers, strainservice[.]com and connected back to the two implants. This domain was registered on June 26 on Namecheap, just before the distribution of the first variant. At the time of the attack, the server had port 80, 443, and 2083. The implants were communicated on port 443.
CRYPTOARMOR’S SOLUTION AND PREVENTION
CryptoArmor real-time threat prevention software will proactively analyze threats from Nation-State actors and Ransomware groups. We have the expertise to identify network breaches as well as expertise in tracking these clusters to identify actors on-chain.
Real-Time Threat Protection – Monitoring on-chain and off-chain events combined with intrusion detection systems to contextualize alerts based on behaviors and other anomalies to prevent crypto hacks and crypto fraud – before it happens.
In order to prevent situations like this, centralized and decentralized blockchain businesses and exchanges need to implement real-time monitoring and protection systems that automatically alert based on behavior anomalies. CryptoArmor’s real time protection, has the capability to monitor events in trading volume as well as network and system assets inside your network to secure businesses. Without CryptoArmor in place, businesses are unlikely to detect or deter the most common manipulative activities, like pump-and-dumps and wash trades. The exchanges on which these manipulations take place may be exposed to considerable legal, reputation, and/or financial risks.
Other services that compliment CryptoArmor’s real time threat prevention is cybersecurity service offerings to build a proactive approach to security.
Incident Response – Our incident response team helps contain, respond and remediate security incidents. Security events happen, even for organizations with most mature security programs. For businesses experiencing attacks, CryptoArmor incident response services respond and remediate the threat, help get organizations back to an operational state, and prevent any further damage. After the threat is mitigated, our investigation team does a full review to share with engineering teams. Then review the findings with the team with training to learn from the incident. Our team provides documentation to share with executive level management and the board. Additionally, we will also develop other documents to share externally to necessary parties such as law enforcement or insurance providers.
Proactive Readiness– Training and attack simulation from C Level down to engineering teams, we help get organizations prepared for scenarios with our detailed training. The best way to respond to incidents is to be prepared for the chaos. Our team helps prepare organizations for the chaos with experts running simulations and table top exercises.
- Incident Response Simulation
- Table Top Exercises
- Policy Preparation
- Attack Simulation
- Advanced Testing of Security Controls and Security Teams response.
- Advanced Pentesting and Audits- Tier one offensive team targeting your organization to test your security controls and applications for vulnerabilities.
- Achieve Compliance – Meet cybersecurity and data regulations with blockchain analysis and developing a security strategy to meet any compliance framework.
CryptoArmor is a cybersecurity software company that helps protect web3 and blockchain enterprises. CryptoArmor also offers blockchain Cybersecurity-as-a-Service that builds proactive security strategies in order to keep your business and customers data safe, as well as incident response capabilities to help organizations experiencing ongoing attacks. CryptoArmor’s threat protection software helps monitor, detect and prevent hacks with real-time intelligent threat detection for web3 security events. CryptoArmor is headquartered in Austin, Texas.
Request a connection inside CryptoArmor by sending an email at: info@cryptoarmor.net
Source: Microsoft Security – https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/
