Multi-phase DoubleFinger malware steals cryptocurrencies in Europe, the United States and Latin America

Cryptocurrency theft is on the rise in the United States, Latin America, and Europe via multi-stage DoubleFinger malware deployed by the GreetingGhoul cryptocurrency thief and Remcos Trojan

A group of researchers has discovered a campaign of attacks against cryptocurrency wallets in Europe, the United States and Latin America, which operates through the DoubleFinger multi-stage malware, which deploys the GreetingGhoul cryptocurrency thief and the Remcos Trojan.

Currently, cybercriminal interest in cryptocurrency is growing at a rapid pace, and in this case, malicious actors have come to develop criminal software very similar to Advanced Persistent Threats (APTs) to access these assets.

This is a campaign that uses a complex ‘software’ of a high technical level based on a multi-phase execution, which is called DoubleFinger. This campaign has been launched with the aim of stealing cryptocurrency credentials from users in European and Latin American countries, as well as the United States, as detailed by a group of Kaspersky researchers.

In this sense, according to the investigation carried out by the cybersecurity company, it is an attack deployed, on the one hand, by the GreetingGhoul cryptocurrency thief and, on the other hand, by the Remcos Remote Access Trojan (RAT).

The attack starts when a user unknowingly opens a malicious file with a PIF extension, which can be attached to an email, and which is a program information document. That is, it contains the information necessary for the Windows operating system to execute its content.

Once this malicious ‘software’ is opened, the first phase of the attack begins, which uses a Windows binary DLL, this is a library that contains code and data, but modified to execute a ‘shellcode’.

This ‘shellcode’, which is the code used to execute a malicious activity on the victim’s computer, downloads a PNG image containing the malicious payload, which is launched at a later stage of the process.

At this point, as Kaspersky has learned, DoubleFinger records up to five phases to program GreetingGhoul, thus managing to activate its use every day at a specific time on the victim’s device.

Thus, with GreetingGhoul up and running, they proceed to steal cryptocurrency credentials using two components. On the one hand, MS WebView2, which is based on the creation of overlays on the interfaces of the victim’s cryptocurrency wallet. Second, a service that steals confidential information, ie password recovery keys or phrases. With all this, cybercriminals gain access to cryptocurrencies.

On the other hand, Kaspersky has detailed that cybercriminals also use DoubleFinger to deploy the Remcos RAT remote access Trojan, which malicious actors often use for their attacks against companies and organizations.

Specifically, the ‘shellcode’ of this Trojan has steganography capabilities (the ability to hide messages within messages) and uses Windows COM interfaces to carry out silent execution, making its detection more complex.

Protection for cryptocurrencies

As explained by the principal security analyst at Kaspersky’s GReAT, Sergey Lozhkin, who belongs to the group of researchers who discovered this new DoubleFinger threat, against this type of attack, the protection of cryptographic wallets “is the responsibility of the providers of wallets, individuals, and the cryptocurrency community in general.”

Based on this, he has warned that if users are “alert, informed and solid security measures are implemented” users can manage to mitigate these “valuable digital assets”.

Within this framework, Kaspersky has provided some recommendations in order to keep crypto assets safe. First of all, he has highlighted the importance of buying wallets only from official sources and, furthermore, he has pointed out that with ‘hardware wallets’ it will never be necessary to enter the seed phrase into the computer.

In case of buying a ‘hardware wallet’, users must also check that it has not been tampered with. In fact, any trace of glue, scratch or foreign component could be an indication that it has been handled previously. Another measure to take into account is to verify the ‘firmware’, in addition to implementing passwords that are difficult to crack.

Source: dpa

(Reference image source: KeepCoding, Unsplash)

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on Twitter and Instagram

You might also like