Slide 1

Slide 1 text

State-Sponsored Financially Motivated Attacks Connecting the dot to a sophisticated threat actor Thomas Roccia Sr. Security Researcher at Microsoft @fr0gger_

Slide 2

Slide 2 text

Sr. Security Researcher at Microsoft Author of Visual Threat Intelligence https://SecurityBreak.io @Fr0gger_ 🤓 THOMAS ROCCIA

Slide 3

Slide 3 text

The Correlation Between Cryptocurrency Markets and Nation State Interest A Detailed Analysis of a Targeted Attack Examining the Bigger Picture: Connecting the Dots 🔍 What will be covered?

Slide 4

Slide 4 text

🤑 Cryptocurrency Industry Overview The market size is anticipated to reach $7 billion by 2032 according to predictions. In September 2023, the price of BTC was approximately $26,321.

Slide 5

Slide 5 text

🏦 Interest in Cryptocurrency Among Nation-States

Slide 6

Slide 6 text

☠️ Targeted Attack by Citrine Sleet Overview Citrine Sleet North Korea Focus on targeting financial institutions and cryptocurrency exchanges. Use of social media, supply chain attacks, trojanised apps, lure and decoy.

Slide 7

Slide 7 text

☠️ Targeted Attack by Citrine Sleet Overview

Slide 8

Slide 8 text

🤝The Initial Step: Establishing Trust Cryptocurrency investment groups on Telegram In the specific attack, the attackers got in touch with their target on October 19, 2022 Created a secondary Telegram group with the name <> OKX Fee Adjustment> and invited three employees Used fake profiles with details from employees of the company OKX

Slide 9

Slide 9 text

The Compromise Begins 💀 Weaponized Excel document containing further details on the fees to appear legitimate with the name: “OKX Binance & Huobi VIP fee comparision.xls” Used the fee structure discussion as an opportunity to ask the target to open the weaponized Excel file and fill in their information

Slide 10

Slide 10 text

Analysis of Malicious Excel File 💻 The obfuscated macro uses UserForm to store data and variables and drops a second malicious Excel file. The second file retrieves a PNG file that contains two executable files and an encrypted backdoor, which are parsed by the macro.

Slide 11

Slide 11 text

Analysis of Malicious Excel File 💻

Slide 12

Slide 12 text

👾 Payload Decoding & Execution

Slide 13

Slide 13 text

☠️ Final Backdoor The backdoor is used to collect information on the targeted machine. All strings and API calls are obfuscated using a custom algorithm. The network request follows this pattern: GET hxxps://strainservice[.]com/resources?a=1666860077&v=1666527365

Slide 14

Slide 14 text

💥Related Attacks Other attacks has been observed using fake or trojanised applications. The DLL proxying technique is consistent across those campaigns. Name HijackingLib.dll consistent

Slide 15

Slide 15 text

💎 Diamond Model of Intrusion Analysis Capabilities Infrastructures Adversary Victim The North Korea government has long term interest in the financial industry with more recently a focus on the crypto currency market The target is a crypto currency investment funds which has been DPRK’s targets of interest as reported by the Financial Services Agency of Japan The attackers are using various techniques, such as packaging fake crypto apps in MSI format, exploiting VBA userform, employing DLL side loading, and using the AppleJeus Malware for their attacks. North Korean attackers exploit social media platforms like LinkedIn, Twitter, and Telegram to target victims and create fake websites that appear to be legitimate cryptocurrency organizations.

Slide 16

Slide 16 text

But wait! There’s more! more! more!

Slide 17

Slide 17 text

💀 The 3CX Connection

Slide 18

Slide 18 text

https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches- targeted-attacks-against-the-cryptocurrency-industry/ https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency- applications-serving-as-front-for-applejeus-malware/ https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain- attack/109344/ https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW https://twitter.com/fr0gger_/status/1641668394155151366 📖 Additional Resources

Slide 19

Slide 19 text

Thank You Thomas Roccia @fr0gger_ Get my Book!