News

DoubleFinger and GreetingGhoul Attack Crypto Wallet Owners in Europe, US and Latin America

Security Parrot Editorial Team

Kaspersky Lab Discovers Complex Multi-Stage Attack on Cryptocurrency Wallet Owners

Kaspersky Lab experts have uncovered a complex multi-stage attack on cryptocurrency wallet owners in Europe, the USA and Latin America. The attack is carried out using the DoubleFinger Trojan downloader, which injects malware into the victim’s system to steal logins and passwords from cryptocurrency wallets – RAT GreetingGhoul.

The Attack

The attack begins with an email sent to the victim, containing a malicious PIF attachment. Opening the attachment triggers the first stage of the DoubleFinger loader. In total, it takes five steps to create a task on the victim’s system, which the GreetingGhoul stealer will then have to run daily at a specific time.
The researchers note that the analysis of DoubleFinger and GreetingGhoul shows that their developers have advanced technical skills and are able to create malware at the level of APT threats. The multi-stage loader uses shellcodes and steganography, provides covert execution using Windows COM interfaces, and uses the Process Doppelgänging technique to inject into remote processes, which once again confirms the sophistication and complexity of the attack.

The Malware

The malware consists of two components. The first uses the MS WebView2 environment to create fake windows that overlap the interface of real cryptocurrency wallets and where the user can inadvertently enter his seed phrase. The second one looks for applications with cryptocurrency wallets on the victim’s device.
The report also notes that some DoubleFinger samples downloaded the Remcos RAT Trojan. This is a well-known commercial tool that allows attackers to perform remote administration. It has previously been seen in targeted attacks on various organizations.
Experts found several text fragments in Russian in the malware code, for example, the command and control server URL begins with the Russian word in a distorted transliteration of the word “Greetings” – “Privetsvoyu”. In addition, the line “salamvsembratya myazadehayustutlokeretodlyagadovveubilinashusferu” is a phrase in Russian “Salam to all brothers, I am suffocating here, a locker is for reptiles, you killed our sphere”, also in a distorted transliteration.
However, experts say that this is not enough to argue that Russian-speaking attackers are behind the attacks.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?