Security Program Controls/Technologies

Research confirms threat actor impersonating cryptocurrency firm on Telegram

A close-up view of the Telegram messaging app is seen on a smart phone on May 25, 2017 in London, England. SafeGuard Cyber Division Seven (D7) threat intelligence team located and confirmed an instance where a company’s employees had been targeted in a previously-known cryptocurrency impersonation scheme as far back as July 2022. (Photo by Ca...

A month after Microsoft revealed that a threat actor was targeting using Telegram to connect with cryptocurrency VIPs and infect them with malware, another firm has found additional evidence of malicious actors using tactics to impersonate legitimate actors in the cryptocurrency space.

DEV-0139, a threat actor identified by Microsoft Security in December last year, took advantage of Telegram group chats to attack cryptocurrency investment companies. Following Microsoft's report, a cryptocurrency firm hired SafeGuard Cyber to help them investigate whether they have been targeted by DEV-0139.

SafeGuard Cyber Division Seven (D7) threat intelligence team then located and confirmed an instance where the company's employees had been targeted as far back as July 2022 with the same malicious files that DEV-0139 had sent out.

"The D7 team identified the same [tactics, techniques, and procedures] that Microsoft had observed and linked to DEV-0139," said Steven Spadaccini, VP of threat intelligence at SafeGuard Cyber.

According to Microsoft's Dec. 6 research, DEV-0139 used Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange platforms, identifying their targets among the members. After building connections and winning the targets' trust, the threat actor sent out malware-laced Excel files disguised as surveys of fee structures among cryptocurrency exchange companies. The actors behind the campaign have sometimes demonstrated detailed knowledge of the cryptocurrency space and its players. In this particular case, SafeGuard Cyber said that the threat actor actually impersonated a known employee of the client organization in order to gain trust before asking them to open a malicious macro file disguised as a form about fee structures. SafeGuard researchers said they while the individual made surface-level changes to their Telegram profile and photo to carry out the scheme, their metadata clearly identified them as an impersonator.

Transcript of a communication between threat actor and an unnamed organization. The names and photos of parties have been changed to protect privacy. (Source: SafeGuard Cyber)

However, despite following the same pattern as DEV-0139, Spadaccini told SC Media that his team has not attached attribution to any specific groups.

"The TTPs seem to be indicative of the aforementioned group and/or other bad actors," he noted.

"The result of this analysis is that a compliance customer has enabled deeper security detections for monitored Telegram users," the research concluded. "This move is part of a larger trend we have observed over the course of 2022, a greater convergence of security and compliance functions in financial services to address overall business communication risks."

Despite the crypto winter, Telegram announced in December last year that it will build a set of decentralized tools for millions of people, including non-custodial wallets and decentralized exchange.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.