According to Slowmist, the Pegasus group is using iMessage accounts to send PassKit attachments containing malicious images to victims. This method is used to exploit vulnerabilities in Apple devices, particularly those used by crypto professionals.Two zero-day vulnerabilities that were being aggressively exploited by the Israeli NSO Group to install its Pegasus spyware on iPhones have been addressed by Apple.

The zero-click vulnerability was discovered by internet watchdog group Citizen Lab while inspecting the device of a person working for a civil society organization with international headquarters situated in Washington, DC.

Without the victim’s involvement, the exploit chain was able to compromise iPhones running the most recent version of iOS (16.6), according to a statement released late on Thursday by Citizen Lab.

They called the exploit chain ‘BLASTPASS’. PassKit attachments containing malicious photos were sent from an attacker’s iMessage account to the victim as part of the vulnerability.

Citizen Lab quickly informed Apple of our findings and helped with their inquiry.

Immediate Steps to Take

Update your Apple device to the latest version to patch the vulnerability.

Be cautious of any unexpected or unfamiliar messages received through iMessage.

Enable two-factor authentication for an extra layer of security.

As the popularity of cryptocurrencies continues to soar, scammers are finding innovative ways to con investors out of their hard-earned digital assets. More recently, social media platforms like Telegram and WhatsApp have become hotbeds for such fraudulent activities. Let's take a closer look at some examples.

1. Telegram: The Fake Bot Scam

A user unsuspectingly engaged with a fraudulent Telegram bot, which falsely claimed to represent Binance. The bot deceitfully enticed the user by making an enticing yet highly unrealistic promise: their investment would be doubled promptly. Trusting the deceptive pretenses, the user proceeded to transfer funds directly from their bank account to the scammer's account.

Unfortunately, the user fell victim to this nefarious scheme and suffered a financial loss due to the malicious impersonation of Binance by the Telegram bot. This situation highlights the significance of exercising caution and skepticism when encountering seemingly profitable opportunities, especially when these guarantees appear to come from a reputable entity such as Binance.

2. Telegram: The Scam Group

In a similar vein, a user shared a potentially malicious link in a Telegram group, suggesting that their LTC (Litecoin) in their MetaMask wallet had disappeared after clicking on the provided link. The website could potentially be a phishing or scam site aiming to deceive unsuspecting users.

In this alarming scenario, the user claims that their assets vanished due to their interaction with the suspicious website. This can happen due to multiple reasons, such as downloading malware that manipulates users into revealing sensitive information, exploiting known vulnerabilities in software and hardware, or scamming the users into sharing their private keys.

The incident underscores the importance of exercising extreme caution when dealing with unverified online resources, especially those associated with cryptocurrency transactions. Individuals should be vigilant, avoiding suspicious webpages and verifying the authenticity of websites before engaging with them.

3. WhatsApp: Fake Investment WhatsApp Group

The scam targeting crypto exchange users, such as Binance customers, is an insidious scheme in which fraudsters create counterfeit investment-related WhatsApp groups impersonating reputable exchanges or trusted cryptocurrency experts. These groups entice potential victims by promising substantial returns or risk-free profits on crypto investments made through their channels, often advertising highly alluring yet too-good-to-be-true opportunities.

4. WhatsApp: the Fake Account Impersonating Binance's Service

The counterfeit group utilized the familiar branding and reputation of Binance to create an aura of credibility. They propagated fabricated dividend rates and incentives, enticing users to deposit their hard-earned money into the scammer's wallet rather than a legitimate Binance account or DeFi platform.

To avoid falling victim to such swindles, users must exercise caution and skepticism when encountering investment proposals on social media platforms, such as WhatsApp. It is crucial to verify the legitimacy of the group administrators, seeking and confirming the authenticity of the group directly with Binance or through official Binance communication channels. Crypto investors should be prudent by researching and validating the authenticity of any investment schemes before participating, as well as being cautious about sharing their personal and financial information with unknown entities.

 

As we continue to innovate and grow within the cryptocurrency space, the responsibility falls on each one of us to ensure we're practicing safe, secure habits. Remember, your security in the crypto world is as strong as the weakest link. So, stay vigilant, be aware, and let's continue to build a safer crypto ecosystem together.

Phishing scams, a form of cyber attack in which scammers try to trick you into sharing sensitive information, have been around for as long as the internet itself. With the rising popularity of cryptocurrency and exchanges such as Binance, these scams have evolved and become more sophisticated. Let's dive into the mechanics of these email phishing campaigns and how you can protect yourself.

Real-World Case

According to the phishing email samples reported by users, Binance users mainly receive the following types of phishing emails.

The user received an email, seemingly from Binance, alerting him to suspicious activity on his account. The email instructed him to click on a link and log in to his account to secure it. The link led to a near-perfect replica of Binance's website, where the victim unknowingly gave his login credentials to the scammers.

The user received emails similar to Binance's official activities, such as Airdrops, to induce users to participate in scammers' project.

The screenshot below shows a sample of some phishing emails.

Understanding the Threat

Phishing campaigns targeting crypto users often employ email spoofing, making it appear as if the email is coming directly from a reputable exchange like Binance. The email might alert you to a fake security risk or ask you to verify your account details. Typically, you will be asked to click on a link which leads to a counterfeit exchange website, indistinguishable from the original.Once on the bogus site, any information you input, such as login details or private keys, goes straight to the scammers. In some cases, the fake website might even prompt you to make a transaction, leading to immediate financial loss.

Technical Tutorial - How to identify phishing emails from an EML file

From this part, users can understand how to analyze an email from a technical level.

If you use Gmail, then you can follow the steps below to download the eml file

​You can download emails directly to your computer. Once downloaded, you can attach an email to another email.

On your computer, go to Gmail.

Open the email.

Click More 

Click Download message.

Open the EML file as a text file editor, you will see the content as the following.

Here are a few more important fields that need attention：

Return-path

Reply-To

Received

Fields starting with “X”

Case 1. Return path does not contains the official Binance sender

Case 2. Malformed SPF/DKIM/DMARC

Protecting Yourself

1. Beware of Unsolicited Emails: Be suspicious of emails that ask for immediate action. Phishers often create a sense of urgency to trick you into making a hasty, ill-informed decision.

2. Check Email Addresses Carefully: Although phishing emails may look legitimate, the sender's email address often reveals the truth. Be cautious of email addresses that resemble, but do not exactly match, those of the exchange.

3. Don't Click on Suspicious Links: Instead of clicking on the link provided in the email, manually type the exchange's web address into your browser.

4. Enable Two-Factor Authentication (2FA): This adds an extra layer of security by requiring a second form of identification, making it harder for phishers to gain access to your account.

5. Keep Your Information Private: Remember, no reputable exchange will ever ask for your private keys or password over email.

6. Stay Informed: Cybersecurity threats evolve continuously, so it's crucial to keep yourself updated on the latest phishing tactics.

7. Set up an Anti-Phishing Code on Binance: An anti-phishing code is a security feature that lets you add an extra layer of security to your Binance account. Once you've enabled the anti-phishing code, it will be included in all genuine emails from Binance. This code will allow you to discern real emails from phishing emails, helping you prevent phishing attempts.

 

Being vigilant and following security best practices are your best defenses against phishing attacks. Remember, when it comes to your valuable digital assets, it's always better to be safe than sorry. Stay alert, and keep your crypto safe.

Original Source: Microsoft Security Threat Intelligence

Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this market have taken many forms, including fraud, vulnerability exploitation, fake applications, and usage of info stealers, as attackers attempt to get their hands on cryptocurrency funds.

We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.

After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:

A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.

The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp

The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.

The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.

Figure 1. Overview of the attack

Further investigation through our telemetry led to the discovery of another file that uses the same DLL proxying technique. But instead of a malicious Excel file, it is delivered in an MSI package for a CryptoDashboardV2 application, dated June 2022. This may suggest other related campaigns are also run by the same threat actor, using the same techniques.

In this blog post, we will present the details uncovered from our investigation of the attack against a cryptocurrency investment company, as well as analysis of related files, to help similar organizations understand this kind of threat, and prepare for possible attacks. Researchers at Volexity recently published their findings on this attack as well.

As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.

Initial compromise

To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram. In the specific attack, DEV-0139 got in touch with their target on October 19, 2022 by creating a secondary Telegram group with the name <> OKX Fee Adjustment and inviting three employees. The threat actor created fake profiles using details from employees of the company OKX. The screenshot below shows the real accounts and the malicious ones for two of the users present in the group.

Figure 2. Legitimate profiles of cryptocurrency exchange employees (left) and fake profiles created by the threat actor (right)

It’s worth noting that the threat actor appears to have a broad knowledge of the cryptocurrency industry and the challenges the targeted company may face. The threat actor asked questions about fee structures, which are the fees used by crypto exchange platforms for trading. The fees are a big challenge for investment funds as they represent a cost and must be optimized to minimize impact on margin and profits. Like many other companies in this industry, the largest costs come from fees charged by exchanges. This is a very specific topic that demonstrates how the threat actor was advanced and well prepared before contacting their target.

After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate. The threat actor used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information.

Weaponized Excel file analysis

The weaponized Excel file, which has the file name OKX Binance & Huobi VIP fee comparision.xls (Sha256: abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0), is well crafted and contains legitimate information about the current fees used by some crypto exchanges. The metadata extracted showed that the file was created by the user Wolf:

Figure 3. The information in the malicious Excel file

The macro is obfuscated and abuses UserForm (a feature used to create windows) to store data and variables. In this case, the name of the UserForm is IFUZYDTTOP, and the macro retrieves the information with the following code IFUZYDTTOP.MgQnQVGb.Caption where MgQnQVGb is the name of the label in the UserForm and .caption allows to retrieve the information stored into the UserForm.

The table below shows the data retrieved from the UserForm:

The macro retrieves some parameters from the UserForm as well as another XLS file stored in base64. The XLS file is dropped into the directory C:\ProgramData\Microsoft Media as VSDB688.tmp and runs in invisible mode.

Figure 4. The deobfuscated code to load the extracted worksheet in invisible mode.

Additionally, the main sheet in the Excel file is protected with the password dragon to encourage the target to enable the macros. The sheet is then unprotected after installing and running the other Excel file stored in Base64. This is likely used to trick the user to enable macros and not raise suspicion.

Extracted worksheet

The second Excel file, VSDB688.tmp (Sha256: a2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9), is used to retrieve a PNG file that is parsed later by the macro to extract two executable files and the encrypted backdoor. Below is the metadata for the second worksheet:

Figure 5. The second file is completely empty but contains the same UserForm abuse technique as the first stage.

The table below shows the deobfuscated data retrieved from the UserForm:

The macro retrieves some parameters from the UserForm then downloads a PNG file from hxxps://od.lk/d/d021d412be456a6f78a0052a1f0e3557dcfa14bf25f9d0f1d0d2d7dcdac86c73/Background.png. The file was no longer available at the time of analysis, indicating that the threat actor likely deployed it only for this specific attack.

Figure 6. Deobfuscated code that shows the download of the file Background.png

The PNG is then split into three parts and written in three different files: the legitimate file logagent.exe, a malicious version of wsock32.dll, and the XOR encrypted backdoor with the GUID (56762eb9-411c-4842-9530-9922c46ba2da). The three files are used to load the main payload to the target system.

Figure 7. The three files are written into C:\\ProgramData\SoftwareCache\ and run using the CreateProcess API

Loader analysis

Two of the three files extracted from the PNG file, logagent.exe and wsock32.dll, are used to load the XOR encrypted backdoor. The following sections present our in-depth analysis of both files.

Logagent.exe

Logagent.exe (Hash: 8400f2674892cdfff27b0dfe98a2a77673ce5e76b06438ac6110f0d768459942) is a legitimate system application used to log errors from Windows Media Player and send the information for troubleshooting.

The file contains the following metadata, but it is not signed:

The logagent.exe imports function from the wsock32.dll which is abused by the threat actor to load malicious code into the targeted system. To trigger and run the malicious wsock32.dll, logagent.exe is run with the following arguments previously retrieved by the macro: 56762eb9-411c-4842-9530-9922c46ba2da /shadow. Both arguments are then retrieved by wsock32.dll. The GUID 56762eb9-411c-4842-9530-9922c46ba2da is the filename for the malicious wsock32.dll to load and /shadow is used as an XOR key to decrypt it. Both parameters are needed for the malware to function, potentially hindering isolated analysis.

Figure 8. Command line execution from the running process logagent.exe

Wsock32.dll

The legitimate wsock32.dll is the Windows Socket API used by applications to handle network connections. In this attack, the threat actor used a malicious version of wsock32.dll to evade detection. The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll and avoid detection. DLL proxying is a hijacking technique where a malicious DLL sits in between the application calling the exported function and a legitimate DLL that implements that exported function. In this attack, the malicious wsock32.dll acts as a proxy between logagent.exe and the legitimate wsock32.dll.

It is possible to notice that the DLL is forwarding the call to the legitimate functions by looking at the import address table:

Figure 9. Import Address Table from

Figure 10. Retrieving data with PeStudio revealed the original file name for the malicious wsock32.dll.

When the malicious wsock32.dll is loaded, it first retrieves the command line, and checks if the file with the GUID as a filename is present in the same directory using the CreateFile API to retrieve a file handle.

Figure 11. Verification of the presence of the file 56762eb9-411c-4842-9530-9922c46ba2da for decryption

The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine.

Once the file is loaded into the memory, it gives remote access to the threat actor. At the time of the analysis, we could not retrieve the final payload. However, we identified another variant of this attack and retrieved the payload, which is discussed in the next section. Identified implants were connecting back to the same command-and-control (C2) server.

Related attack

We identified another file using a similar mechanism as logagent.exe and delivering the same payload. The loader is packaged as an MSI package and as posed an application called CryptoDashboardV2 (Hash: e5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487). After installing the MSI, it uses a legitimate application called tplink.exe to sideload the malicious DLL called DUser.dll and uses  DLL proxying as well.

Figure 12. Installation details of the MSI file

Once the package is installed, it runs and side-loads the DLL using the following command: C:\Users\user\AppData\Roaming\Dashboard_v2\TPLink.exe” 27E57D84-4310-4825-AB22-743C78B8F3AA /sven, where it noticeably uses a different GUID.

Further analysis of the malicious DUser.dll showed that its original name is also HijackingLib.dll, same as the malicious wsock32.dll. This could indicate the usage of the same tool to create these malicious DLL proxies. Below are the file details of DUser.dll:

Once the DLL is running, it loads and decodes the implant in the memory and starts beaconing the same domain. In that case, the implant is using the GUID name 27E57D84-4310-4825-AB22-743C78B8F3AA and the XOR key /sven.

Implant analysis

The payload decoded in the memory by the malicious DLL is an implant used by the threat actor to remotely access the compromised machine. We were able to get the one from the second variant we uncovered. Below are the details of the payload:

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

TrojanDownloader:O97M/Wolfic.A

TrojanDownloader:O97M/Wolfic.B

TrojanDownloader:O97M/Wolfic.C

TrojanDownloader:Win32/Wolfic.D

TrojanDownloader:Win32/Wolfic.E

Behavior:Win32/WolficDownloader.A

Behavior:Win32/WolficDownloader.B

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

An executable loaded an unexpected dll

DLL search order hijack

‘Wolfic’ malware was prevented