Microsoft alerts crypto users to a malicious Excel attack comparing OKX, Binance and Huobi fees


  • Microsoft recently investigated a malicious Excel attack where the exploiter targeted crypto investors in Telegram chat groups. 
  • The bad actor weaponized an excel file with the name ‘OKX Binance & Huobi VIP fee comparison.xls’ and shared it with target users. 
  • The threat actor was identified as DEV-0139 and the weaponized excel gave the hacker a back door to the user’s system. 

Microsoft investigated an exploit on crypto users by DEV-0139. The exploiter infiltrated Telegram chat groups to identify targets before sharing a malicious Excel file to gain backdoor access to their system. 

Also read: Goldman Sachs to increase crypto stake after FTX exchange collapse

Microsoft investigates Excel attack targeted at crypto traders

Microsoft, an American multinational tech company recently investigated an attack that targeted crypto users. The bad actor DEV-0139 shared a malicious Excel file titled OKX Binance & Huobi VIP fee comparison.xls with crypto traders in messaging app Telegram groups. The intent was to gain back door access to their system through the Excel file. 

The malicious user infiltrated chat groups on Telegram and masqueraded as a representative of a crypto investment firm. The attacker pretended to discuss trading fees with VIP clients of major exchanges Binance, OKX and Huobi. 

According to investigators at Microsoft, the attacker would gain the trust of targeted victims,  get them to share  in-depth information, and then share a malicious file to gain access to their systems. The weaponized Excel file claimed to compare VIP tier fees across exchanges like OKX, Binance and Huobi. The file was well crafted and contained legitimate information about the current fees used by some crypto exchanges

The metadata extracted showed that the file was created by a user called “Wolf”. 

The information shared in the weaponized Excel file

The information shared in the weaponized Excel file

Two of three files extracted from the malicious download opened a back door

Microsoft’s investigation revealed that two out of three files extracted from the original download, logagent.exe and wsock32.dll, were responsible for loading an encrypted backdoor. The following sections present Microsoft’s in-depth analysis of both files.

Once the file was loaded into the victim computer’s memory, it gave remote access to DEV-0139. At the time of analysis, Microsoft’s security intelligence team identified another variant of the attack and retrieved the payload. The identified malicious implants connected back to the same command-and-control C2 server that opens a backdoor in the user’s system. 

Microsoft recommends fighting malicious Excel attacks in this manner 

In the report published by the American software giant, the attack is classified as one targeted at crypto investment fund startups. Such companies are relatively new, but manage hundreds of millions of dollars and, therefore, are a magnet for cyber criminals. 

DEV-0139 had broad knowledge of the cryptocurrency industry as well as the challenges that targeted victims may face, increasing the sophistication of the attack and its chances of success. The threat actor used Telegram, an app used by many in the crypto ecosystem and identified the profile of interested parties, before gaining the target’s trust by discussing relevant topics. 

The exploiter then sent a weaponized document that delivered a backdoor through multiple mechanisms. Additionally, a second attack used a fake crypto dashboard application, to lure target users. 

Microsoft recommends:

  • Educating end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing email and watering holes, and reporting reconnaissance attempts and other suspicious activity.
  • Educating end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. 
  • Encouraging end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.
  • Changing Excel macro security settings to control which macros run and under what circumstances when a workbook is opened. 
  • Stopping malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interfaces (AMSI) is on. 
  • Turning-on attack surface reduction rules to prevent common attack techniques observed in this threat, by doing the following:
    • Blocking Office applications from creating executable content.
    • Blocking Office communication application from creating child processes.
    • Blocking Win32 API calls from Office macros.
  • Ensuring that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.

If not otherwise explicitly mentioned in the body of the article, at the time of writing, the author has no position in any stock mentioned in this article and no business relationship with any company mentioned. The author has not received compensation for writing this article, other than from FXStreet.

FXStreet and the author do not provide personalized recommendations. The author makes no representations as to the accuracy, completeness, or suitability of this information. FXStreet and the author will not be liable for any errors, omissions or any losses, injuries or damages arising from this information and its display or use. Errors and omissions excepted.

The author and FXStreet are not registered investment advisors and nothing in this article is intended to be investment advice.

Recommended content


Recommended Content

Editors’ Picks

Bitcoin Weekly Forecast: BTC nosedives below $95,000 as spot ETFs record highest daily outflow since launch

Bitcoin Weekly Forecast: BTC nosedives below $95,000 as spot ETFs record highest daily outflow since launch

Bitcoin price continues to edge down, trading below $95,000 on Friday after declining more than 9% this week. Bitcoin US spot ETFs recorded the highest single-day outflow on Thursday since their launch in January.

More Bitcoin News
Bitcoin crashes to $96,000, altcoins bleed: Top trades for sidelined buyers

Bitcoin crashes to $96,000, altcoins bleed: Top trades for sidelined buyers

Bitcoin (BTC) slipped under the $100,000 milestone and touched the $96,000 level briefly on Friday, a sharp decline that has also hit hard prices of other altcoins and particularly meme coins. 

More Bitcoin News
Solana Price Forecast: SOL’s technical outlook and on-chain metrics hint at a double-digit correction

Solana Price Forecast: SOL’s technical outlook and on-chain metrics hint at a double-digit correction

Solana (SOL) price trades in red below $194 on Friday after declining more than 13% this week. The recent downturn has led to $38 million in total liquidations, with over $33 million coming from long positions.

More Solana News
SEC approves Hashdex and Franklin Templeton's combined Bitcoin and Ethereum crypto index ETFs

SEC approves Hashdex and Franklin Templeton's combined Bitcoin and Ethereum crypto index ETFs

The SEC approved Hashdex's proposal for a crypto index ETF. The ETF currently features Bitcoin and Ethereum, with possible additions in the future. The agency also approved Franklin Templeton's amendment to its Cboe BZX for a crypto index ETF.

More Cryptocurrencies News
Bitcoin: 2025 outlook brightens on expectations of US pro-crypto policy

Bitcoin: 2025 outlook brightens on expectations of US pro-crypto policy

Bitcoin price has surged more than 140% in 2024, reaching the $100K milestone in early December. The rally was driven by the launch of Bitcoin Spot ETFs in January and the reduced supply following the fourth halving event in April.

Read full analysis
Best Forex Brokers with Low Spreads

Best Forex Brokers with Low Spreads

VERIFIED Low spreads are crucial for reducing trading costs. Explore top Forex brokers offering competitive spreads and high leverage. Compare options for EUR/USD, GBP/USD, USD/JPY, and Gold.

Read More

BTC

ETH

XRP