On December 6, 2022, Microsoft researchers reported technical details of a campaign targeting cryptocurrency organizations globally using what they describe as complex tactics.
Community Impact
Many retail, travel, and hospitality organizations maintain financial relationships with cryptocurrency firms for business reasons or accept cryptocurrency as payment and maintain relationships with organizing firms for financial reasons. As such, while the current campaign does not explicitly target the RH-ISAC community, it does present a potential supply chain threat.
Technical Details
Organizations appear to be targeted through cryptocurrency investment groups via Telegram by leveraging fake employee profiles. According to Microsoft researchers, after gaining initial entry, the campaign, which they associate with a cluster of activity designated “DEV-0139,” leverages a weaponized Excel file that does the following:
- A malicious macro in the weaponized Excel file abuses a VBA UserForm to obfuscate the code and retrieve some data.
- The malicious macro extracts another Excel sheet embedded in the form and executes it in invisible mode. The second Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
- The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
- The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
Next, the campaign drops a second payload: an MSI package for a CryptoDashboardV2 app.
Note on attribution: Volexity published research on the same activity recently, attributing the campaign to the North Korean Lazarus Group based on similarities to previous campaigns.
Detection Options
Microsoft provided the following hunting queries:
Query that looks for Office apps that create a file within one of the known bad directories:
DeviceFileEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “outlook” “powerpnt”)
| where ActionType == “FileCreated”
| where parse_path( FolderPath ).DirectoryPath has_any(
@ “C:\ProgramData\Microsoft Media”,
@”C:\ProgramData\SoftwareCache”,
@”Roaming\Dashboard_v2″
)
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName, SHA256, InitiatingProcessAccountName, InitiatingProcessAccountDomain
Query that looks for Office apps that create a file within an uncommon directory (less than five occurrences), makes a set of each machine this is seen on, and each user that has executed it to help look for how many users/hosts are compromised:
DeviceFileEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “outlook”, “powerpnt”)
| where ActionType == “FileCreated”
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize PathCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, Path, InitiatingProcessFileName, SHA256
| where PathCount < 5
Query that summarizes child process of Office apps, looking for less than five occurrences:
DeviceProcessEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “powerpnt”)
| summarize ProcessCount=count(), DeviceList=make_set(DeviceName), AccountList=make_set(InitiatingProcessAccountName) by FileName, FolderPath, SHA256, InitiatingProcessFileName
| where ProcessCount < 5
Query that lists of all executables with Microsoft as ProcessVersionInfoCompanyName, groups them together by path, then looks for uncommon paths, with less than five occurrences:
DeviceProcessEvents
| where ProcessVersionInfoCompanyName has “Microsoft”
| extend Path = tostring(parse_path(FolderPath).DirectoryPath)
| summarize ProcessList=make_set(FileName) by Path
| where array_length( ProcessList ) < 5
Query that searches for connections to malicious domains and IP addresses:
DeviceNetworkEvents
| where (RemoteUrl has_any (“strainservice.com”))
or (RemoteIP has_any (“198.54.115.248”))
Query that searches for files downloaded from malicious domains and IP addresses.
DeviceFileEvents
| where (FileOriginUrl has_any (“strainservice.com”))
or (FileOriginIP has_any (“198.54.115.248”))
Query that searchers for Office apps downloading files from uncommon domains, groups users, filenames, and devices together:
DeviceFileEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “powerpnt”)
| where ActionType == “FileCreated”
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| summarize DomainCount=count(), UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName),
FileList=make_set(FileName) by FileOriginUrl, FileOriginIP, InitiatingProcessFileName
Looks for downloaded files with uncommon file extensions, groups remote IPs, URLs, filenames, users, and devices:
DeviceFileEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “powerpnt”, “outlook”)
| where ActionType == “FileCreated”
| where isnotempty( FileOriginUrl ) or isnotempty( FileOriginIP )
| extend Extension=tostring(parse_path(FolderPath).Extension)
| extend Path=tostring(parse_path(FolderPath).DirectoryPath)
| summarize ExtensionCount=count(), IpList=make_set(FileOriginIP), UrlList=make_set(FileOriginUrl), FileList=make_set(FileName),
UserList=make_set(InitiatingProcessAccountName), DeviceList=make_set(DeviceName) by Extension, InitiatingProcessFileName
Looks for Office apps that have child processes that match the GUID command line, with a check for Microsoft binaries to reduce the results before the regex:
DeviceProcessEvents
| where InitiatingProcessFileName has_any (“word”, “excel”, “access”, “powerpnt”)
| where ProcessVersionInfoCompanyName has “Microsoft”
| where ProcessCommandLine matches regex
@”[A-Za-z0-9]+\.exe [A-Za-z0-9]{8}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{4}-[A-Za-z0-9]{12} /[A-Za-z0-9]$”
IOCs
Microsoft researchers provided the following indicators of compromise:
| Indicator | Type | Notes |
| abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0 | OKX Binance & Huobi VIP fee comparision[.]xls | Weaponized Excel file |
| 17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b | OKX Binance & Huobi VIP fee comparision[.]xls | Weaponized Excel file |
| a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9 | VSDB688[.]tmp | Second worksheet dropped |
| 2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb | wsock32[.]dll / HijackingLib[.]dll | Malicious dropper that acts as a DLL proxy to legit wsock32[.]dll |
| 82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629 | Duser[.]dll | |
| 90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33 | Duser[.]dll / HijackingLib[.]dll | Malicious dropped that acts as a DLL proxy to the legit Duser[.]dll |
| e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487 | 4acbe3[.]msi | Fake CryptoDashboard application MSI package delivering Duser[.]dll |
| 82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a1629 | 43d972[.]msi | Second fake application BloxHolder delivering Duser[.]dll |
| ea31e626368b923419e8966747ca33473e583376095c48e815916ff90382dda5 | DLL | Implant loaded by Duser[.]dll |
| C:\ProgramData\SoftwareCache\wsock32[.]dll | Path | Path of wsock32[.]dll |
| C:\Users\user\AppData\Roaming\Dashboard_v2\DUser[.]dll | Path | Path of Duser[.]Dll |
| C:\Program Files\CryptoDashboardV2\ | Path | Path of the fake app |
| C:\ProgramData\Microsoft Media\VSDB688[.]tmp | Path | Path of the second worksheet |
| hxxps://od[.]lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background[.]png | Background[.]png downloaded from OpenDrive | Png file downloaded on the victim machines |
| strainservice[.]com | Domain/C2 | Command and control server |
| 198[.]54[.]115[.]248 | IP/C2 | IP of the C2 |
| 56762eb9-411c-4842-9530-9922c46ba2da | GUID | GUID used |
| 27E57D84-4310-4825-AB22-743C78B8F3AA | GUID | GUID used |
| TPLink[.]exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven | Command line | Command line runs by the legit exe |
| logagent[.]exe 56762eb9-411c-4842-9530-9922c46ba2da /shadow | Command line | Command line runs by the legit file |
TTPs
Microsoft researchers also provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):
| Tactics | Technique ID | Name | Description |
| Reconnaissance | T1591 | Gather Victim Org Information | The attackers gathered information about the targets reaching them on Telegram with a clear understanding of their challenges. |
| T1593.001 | Social Media | Attackers identified the targets on specific cryptocurrencies group on Telegram. | |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | Attackers registered the domain “strainservice.com” on June 18 |
| Initial Access | T1566.001 | Spearphishing Attachment | Attackers sent a weaponized Excel document. Execution |
| Execution | T1204.002 | User Execution: Malicious File | The targeted user must open the weaponized Excel document and enable macros. |
| T1059.005 | Command and Scripting Interpreter: Visual Basic | Attackers used VBA in the malicious excel document “OKX Binance & Huobi VIP fee comparision.xls” to deliver the implant. | |
| T1106 | Native API | Usage of CreateProcess API in the excel document to run the executable. | |
| Persistence, Privilege Escalation, Defense Evasion | T1574.002 | DLL side-Loading | The attackers abused the legitimate Logagent.exe to sideload the malicious wsock32.dll and the legitimate TPLink.Exe to side load Duser.dll |
| Defense Evasion | T1027 | Obfuscated file or information | The malicious VBA is obfuscated using UserForm to hide variable and data. |
| T1036.005 | Masquerading: Match Legitimate Name or Location | The attackers are using legitimate DLL name that acts as DLL Proxy to the original one (wsock32.dll and Duser.dll). | |
| T1027.009 | Obfuscated Files or Information: Embedded Payloads | The malicious DLL are dropping the implant into the machine. | |
| Command & Control | T1071.001 | Application Layer Protocol: Web Protocols | The implant is communicating to the remote domain through port 80 or 443. |
| T1132 | Data Encoding | The implant is encoding the data exchanged with the C2. | |
| Exfiltration | T1041 | Exfiltration over C2 channel | The implant has the ability to exfiltrate information. |
