A complicated assault by Russian-language actors is utilizing a novel loader and malware-laced PNG picture file to drop malware for stealing cryptocurrency or enterprise account data, researchers mentioned. The multistage marketing campaign seems to be primarily focusing on entities in Europe, the USA, and Latin America, Kaspersky researchers wrote in a blog post revealed June 12.
The assault begins with “DoubleFinger,” a multistage loader that drops a picture file containing malicious code onto a sufferer’s pc. The malware infects victims with “GreetingGhoul,” a novel stealer specifically designed to siphon off cryptocurrency credentials.
Nonetheless, DoubleFinger is not unique to cryptocurrency assaults, the Kaspersky researchers mentioned, as researchers additionally noticed it dropping Remcos RAT, a preferred software amongst financially motivated cybercriminals. As soon as the Remcos RAT gets into an enterprise network, stopping the malware and its follow-on assaults might be tough for companies.
Russian-speaking artifacts inside the code counsel that the perpetrators of this marketing campaign come from a Commonwealth of Unbiased States nation, although the researchers certified that “the items of Russian textual content and the victimology should not sufficient to conclude that those behind this marketing campaign are certainly from the post-Soviet area.”
Stenography for Cryptocurrency
DoubleFinger assaults start with a phishing electronic mail. If the sufferer clicks on the related bug data file (.pif). This triggers a series response resulting in some malicious shellcode downloading a PNG picture from imgur.com. The seemingly nondescript picture makes use of steganography — hiding secret information within nonsecret data. The shellcode searches the PNG for a specific string in its code, 0xea79a5c6, which accommodates an encrypted payload.
The PNG with embedded shellcode. Supply: Kaspersky
On the finish of this assault chain, as a rule, is GreetingGhoul, an infostealer with two main features: It may well detect victims’ cryptocurrency pockets apps and steal the delicate credentials related to them. GreenGhoul makes use of MS WebView2 — a software for embedding net code into desktop apps — to overlay phishing pages on high of reputable crypto-wallet interfaces. It is a transfer that evokes banking Trojans of previous, as customers unwittingly sort their delicate pockets credentials into attacker-controlled fields.
The picture beneath, for instance, depicts an overlay mimicking Ledger, the world’s hottest vendor for cryptocurrency {hardware} wallets. It prompts victims to enter their pockets’s seed phrase — the ultrasensitive set of 12 or 24 phrases which generates their personal key, and grants unfettered entry to all contents of the pockets. This is the reason cryptocurrency investors are regularly reminded to by no means surrender their seed phrases to entry their wallets to anybody.
Supply: Kaspersky
