- A team of experts at Microsoft have disclosed that threat actors are actively luring crypto users to download malicious installers on their computers which end up gathering and exporting information to their command-and-control server.
- To mitigate these attacks, Microsoft recommends that organizations educate their users and turn on endpoint protection.
Microsoft Threat Intelligence, Microsoft’s global network of security experts, has unravelled an ongoing malicious campaign targeting crypto users.
According to the information delivered through multiple posts on X, Microsoft highlighted that several individuals might have become victims already, with many likely to fall for this carefully orchestrated fraudulent scheme, something the US Securities and Exchange Commission (SEC) seeks to fight, as highlighted in our previous article.
The Details of the Story
Reviewing the posts, CNF discovered that “malvertising” is one of the campaigns that has become rampant in the ecosystem. Also known as malicious advertising, malvertising exists as a cyberattack technique where malicious code is embedded in a digital ad after breaching a third-party server.
According to experts, these ads could sometimes be in the form of banners, imagery, or even video. While they usually appear unsuspicious, just a click by website visitors would have malware or adware installed on their computers. In most cases, these ads may redirect users to a malicious website for further attack using social engineering or spoofing.
Shedding more light on this, Microsoft explained that the process of these attacks could be summarized into four – defence evasion, data collection, payload delivery, and execution.
With defence evasion, users who are directed to these malicious sites unknowingly download malicious installers that are designed to appear as legitimate software. According to the report, this software could be a copy of trading platforms like Binance or TradingView. However, they contain what they termed as the malicious Dynamic Link Libraries (DLL). This then prepares the grounds for the data collection phase.
This installer is a Wix-built package containing a malicious CustomActions.dll. When launched, the installer loads the DLL, which then gathers basic system information through a Windows Management Instrumentation (WMI) query and creates a scheduled task to ensure the persistence of a PowerShell command.
From here, the script gathers detailed system information, including Windows information, BIOS information, Operating systems information, etc. Once completely gathered, they are converted into JSON format and then sent to the command-and-control server of the attacker through HTTP POST.
How to Deal With Malvertising Campaign
According to Microsoft, organizations can mitigate these threats using five major methods. Firstly, organizations should educate users about the risks of downloading software from unverified sources.
Secondly, organizations should turn on endpoint protection. According to them, this ensures that the “endpoint detection and response (EDR)” or the extended detection and response (XDR) are fully activated to monitor script execution. Apart from this, the Monitor Node.js execution should be actively monitored to detect unauthorized node.exe processes. Finally, it was suggested that outbound “C2 communications should be restricted.”
Crypto scams and hacks have significantly increased for the past couple of years with $3.01 billion drained in 2024, as noted in our earlier post. In a recent update, CNF also disclosed that hackers had breached X account of the Saudi Law Conference to fake a royal endorsement to promote fraudulent coins.
