Beware of Viruses in Telegram Crypto Groups

Dear users!


Keep in mind that nowadays scammers and/or compromised friends of yours may send a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contains several tables about fee structures among cryptocurrency exchange companies. The data in the document is likely accurate to increase scammers credibility. This weaponized Excel file initiates the following series of activities:

-A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.

-The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp

-The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.

-The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.




Stay safe,

Team BiXBiT.

Telegram channel @bixbit_new
Watch us on YouTube