Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer

News

Jun 13, 2023Ravie LakshmananCrimeware / Cryptocurrency

A novel multi-stage loader called DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what’s an advanced attack targeting users in Europe, the U.S., and Latin America.

“DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages,” Kaspersky researcher Sergey Lozhkin said in a Monday report.

The starting point of the attacks is a modified version of espexe.exe – which refers to Microsoft Windows Economical Service Provider application – that’s engineered to execute shellcode responsible for retrieving a PNG image file from the image hosting service Imgur.

The image employs steganographic trickery to conceal an encrypted payload that triggers a four-stage compromise chain which eventually culminates in the execution of the GreetingGhoul stealer on the infected host.

Cybersecurity

A notable aspect of GreetingGhoul is its use of Microsoft Edge WebView2 to create counterfeit overlays on top of legitimate cryptocurrency wallets to siphon credentials entered by unsuspecting users.

DoubleFinger, in addition to dropping GreetingGhoul, has also been spotted delivering Remcos RAT, a commercial trojan that has been widely used by threat actors to strike European and Ukrainian entities in recent months.

The analysis “reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs),” Lozhkin noted.

“The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of process doppelgänging for injection into remote processes all point to well-crafted and complex crimeware.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Bitcoin Fog Founder Sentenced to 12 Years for Cryptocurrency Money Laundering
Amazon MOVEit Leaker Claims to Be Ethical Hacker
THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)
Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform
EU Ramps Up Cyber Resilience with Major Crisis Simulation Exercise

Leave a Reply

Your email address will not be published. Required fields are marked *