Upgrade to Pro — share decks privately, control downloads, hide ads and more …

State-Sponsored Financially Motivated Attacks

State-Sponsored Financially Motivated Attacks

This is a presentation delivered at Melbourne AISA in October 2023 about a nation state investigation targeting the cryptocurrency industry.

Thomas Roccia

October 26, 2023
Tweet

More Decks by Thomas Roccia

Other Decks in Technology

Transcript

  1. State-Sponsored Financially
    Motivated Attacks
    Connecting the dot to a sophisticated threat actor
    Thomas Roccia
    Sr. Security Researcher at Microsoft
    @fr0gger_

    View full-size slide

  2. Sr. Security Researcher at Microsoft
    Author of Visual Threat Intelligence
    https://SecurityBreak.io
    @Fr0gger_
    🤓 THOMAS ROCCIA

    View full-size slide

  3. The Correlation Between Cryptocurrency Markets and
    Nation State Interest
    A Detailed Analysis of a Targeted Attack
    Examining the Bigger Picture: Connecting the Dots
    🔍 What will be covered?

    View full-size slide

  4. 🤑 Cryptocurrency Industry Overview
    The market size is anticipated to reach
    $7 billion by 2032 according to predictions.
    In September 2023, the price of
    BTC was approximately $26,321.

    View full-size slide

  5. 🏦 Interest in Cryptocurrency
    Among Nation-States

    View full-size slide

  6. ☠️ Targeted Attack by Citrine Sleet Overview
    Citrine Sleet
    North Korea
    Focus on targeting financial
    institutions and
    cryptocurrency exchanges.
    Use of social media, supply
    chain attacks, trojanised
    apps, lure and decoy.

    View full-size slide

  7. ☠️ Targeted Attack by Citrine Sleet Overview

    View full-size slide

  8. 🤝The Initial Step: Establishing Trust
    Cryptocurrency investment groups on
    Telegram
    In the specific attack, the attackers got in
    touch with their target on October 19, 2022
    Created a secondary Telegram group with the
    name <>
    OKX Fee Adjustment> and invited three
    employees
    Used fake profiles with details from
    employees of the company OKX

    View full-size slide

  9. The Compromise Begins
    💀
    Weaponized Excel document containing further details on the fees to appear
    legitimate with the name: “OKX Binance & Huobi VIP fee comparision.xls”
    Used the fee structure discussion as an opportunity to ask the target to open the
    weaponized Excel file and fill in their information

    View full-size slide

  10. Analysis of Malicious Excel File
    💻
    The obfuscated macro uses UserForm to
    store data and variables and drops a
    second malicious Excel file.
    The second file retrieves a PNG file that
    contains two executable files and an
    encrypted backdoor, which are parsed
    by the macro.

    View full-size slide

  11. Analysis of Malicious Excel File
    💻

    View full-size slide

  12. 👾 Payload Decoding & Execution

    View full-size slide

  13. ☠️ Final Backdoor
    The backdoor is used to collect information on the targeted machine.
    All strings and API calls are obfuscated using a custom algorithm.
    The network request follows this pattern:
    GET hxxps://strainservice[.]com/resources?a=1666860077&v=1666527365

    View full-size slide

  14. 💥Related Attacks
    Other attacks has been observed using
    fake or trojanised applications.
    The DLL proxying technique is
    consistent across those campaigns.
    Name HijackingLib.dll consistent

    View full-size slide

  15. 💎 Diamond Model of Intrusion Analysis
    Capabilities
    Infrastructures
    Adversary
    Victim
    The North Korea government has long term
    interest in the financial industry with more
    recently a focus on the crypto currency market
    The target is a crypto currency investment funds
    which has been DPRK’s targets of interest as
    reported by the Financial Services Agency of Japan
    The attackers are using various techniques, such as
    packaging fake crypto apps in MSI format, exploiting
    VBA userform, employing DLL side loading, and using
    the AppleJeus Malware for their attacks.
    North Korean attackers exploit social media
    platforms like LinkedIn, Twitter, and
    Telegram to target victims and create fake
    websites that appear to be legitimate
    cryptocurrency organizations.

    View full-size slide

  16. But wait! There’s more!
    more!
    more!

    View full-size slide

  17. 💀 The 3CX Connection

    View full-size slide

  18. https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-
    targeted-attacks-against-the-cryptocurrency-industry/
    https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-
    applications-serving-as-front-for-applejeus-malware/
    https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-
    attack/109344/
    https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW
    https://twitter.com/fr0gger_/status/1641668394155151366
    📖 Additional Resources

    View full-size slide

  19. Thank You
    Thomas Roccia
    @fr0gger_
    Get my
    Book!

    View full-size slide