Kaspersky has discovered a new sophisticated multi-stage attack campaign targeting cryptowallets in Europe, the US and Latin America.
The attack includes the DoubleFinger loader, a crimeware-type complex software that deploys the GreetingGhoul cryptocurrency stealer and the Remcos Remote Access Trojan (RAT).
Kaspersky’s analysis highlights the techniques and skill level of cybercriminals in this evolving threat landscape.
As Kaspersky’s research shows, the multi-stage DoubleFinger loader launches its attack when the victim unintentionally opens a malicious PIF attachment in an email.
This triggers the execution of the first stage of the loader, a modified Windows binary DLL file, and then the execution of a malicious shellcode.
The shellcode then downloads a PNG image containing a payload that is supposed to be executed later as part of the attack.
In total, it takes DoubleFinger five steps to create a scheduled task that runs the GreetingGhoul hijacker every day at a specific time. It then downloads another PNG file, decrypts it and executes it.
GreetingGhoul is a stealer designed to steal cryptocurrency-related credentials and consists of two components: the first uses MS WebView2 to create overlays on cryptocurrency wallet interfaces and the second is designed to detect cryptocurrency wallet applications and steal sensitive information such as keys, recovery phrases and so on.
In addition to GreetingGhoul, Kaspersky also detected DoubleFinger samples that installed Remcos RAT.
Remcos is a well-known commercial RAT that is often used by cybercriminals in targeted attacks against businesses and organizations.
The multi-stage, shellcode-type loader with steganography capabilities, the use of Windows COM interfaces for covert execution, and the implementation of doppelgänging processes for injection into remote processes, suggest a well-built and complex crimeware-type software.
“As the value and popularity of cryptocurrencies continues to grow, so does the interest of cybercriminals.
The team behind the DoubleFinger loader and the GreetingGhoul malware stands out as sophisticated offenders with high skills in developing crimeware software, similar to advanced persistent threats.
Protecting cryptocurrencies is a shared responsibility between wallet providers, individually and the wider cryptocurrency community.
And by staying vigilant, implementing strong security measures and staying up-to-date on the latest threats, we can mitigate risks and keep our valuable digital assets safe,” says Sergey Lozhkin, chief security researcher in Kaspersky’s Global Research and Analysis Group.
To keep crypto-content secure, Kaspersky experts also recommend:
- Buy from official sources: Buy hardware wallets only from official and trusted sources, such as the manufacturer’s website or authorized resellers. With hardware wallets, you should never fill the recovery seed on the computer. A hardware wallet seller will never ask for it.
- Check for signs of tampering: before using a new hardware wallet, inspect it for any signs of tampering, such as scratches, glue, or mismatched components.
- Check the firmware: Always verify that the firmware on the hardware wallet is legal and up-to-date. This can be done by checking the manufacturer’s website for the latest version.
- Secure the seed phrase: When setting up your hardware wallet, be sure to note and securely store the seed phrase. A reliable security solution, such as Kaspersky Premium, will protect the cryptocurrencies stored on your phone or computer.
- Use a strong password: If your hardware wallet allows a password, use a strong and unique password. Avoid using easily predictable passwords or reusing passwords from other accounts.
- Hardware Wallets: Not Invincible Against Cybercriminals
- Congressional Bill Seeks to Oust SEC Chairman and Overhaul Power Dynamics
- Cryptocurrency Firms Rally to Defend Against SEC Lawsuits, Highlighting Global Focus
- Turkish Citizens Seek Shelter in Tether Amid Collapsing Lira
- Terra Classic Embraces Upgraded Potential: Revitalizing the Blockchain Ecosystem with v2.1.0