HomeCyber SecurityDoubleFinger on the trigger: a multi-stage malware targeting cryptowallets

DoubleFinger on the trigger: a multi-stage malware targeting cryptowallets

Kaspersky has discovered a new sophisticated multi-stage attack campaign targeting cryptowallets in Europe, USA and Latin America. The attack involves the DoubleFinger loader, a complex crimeware that deploys the GreetingGhoul cryptocurrency stealer and the Remcos Remote Access Trojan (RAT). Kaspersky’s analysis highlights the advanced techniques and high level of skill employed by cybercriminals in this evolving threat landscape.

As Kaspersky’s investigation shows, the multi-stage DoubleFinger loader initiates its attack when the victim unwittingly opens a malicious PIF attachment in an email message. This action triggers the execution of the loader’s first stage, a modified Windows DLL binary, and then a malicious shellcode is executed. Next, the shellcode downloads a PNG image that includes a payload that is supposed to be launched later within the attack.

DoubleFinger malware imageA .png file with embedded shellcode

In all, it takes DoubleFinger five stages to create a scheduled task that executes the GreetingGhoul stealer every day at a specific time. It then downloads another PNG file, decrypts it and then executes it. GreetingGhoul is a stealer designed to steal cryptocurrency-related credentials that consists of two components: the first one uses MS WebView2 to create overlays on cryptocurrency wallet interfaces, and the second is designed to detect cryptocurrency wallet apps and steals the sensitive information, such as keys, recovery phrases, and so on.Ledger fake windowTrezor fake windowExamples of fake windows

Besides GreetingGhoul stealer, Kaspersky also found DoubleFinger samples that downloaded the Remcos RAT. Remcos is a well-known commercial RAT often used by cybercriminals in targeted attacks against businesses and organizations. The multi-staged, shellcode-style loader with steganography capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of process doppelgänging for injection into remote processes all point to a well-crafted and complex crimeware.

“As the value and popularity of cryptocurrencies continue to rise, so does the interest of cybercriminals. The group behind the DoubleFinger loader and GreetingGhoul malware stands out as a sophisticated actor with high skills in crimeware development, akin to advanced persistent threats.  Protecting cryptowallets is a shared responsibility between the wallet providers, individuals, and the broader cryptocurrency community. And, by staying vigilant, implementing strong security measures, and staying informed about the latest threats, we can mitigate the risks and ensure the safety of our valuable digital assets,” says Sergey Lozhkin, a lead security researcher at Kaspersky’s GReAT.

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS