June 16 (Portaltic/EP) –
A group of researchers has discovered a campaign of attacks against cryptocurrency wallets in Europe, the United States and Latin America, which acts through the multi-stage DoubleFinger malware, which deploys the GreetingGhoul cryptocurrency thief and the Remcos Trojan.
Currently, the interest of cybercriminals in cryptocurrencies is growing at a rapid rate, and in this case, malicious actors have come to develop criminal software very similar to advanced persistent threats (APT) to access these assets.
It is a campaign uses a complex ‘software’ of a high technical level based on a multiphase executionwhich receives the name of DoubleFinger. This campaign has been launched with the aim of steal cryptocurrency credentials to users in European and Latin American countries, as well as the United States, as detailed by a group of Kaspersky researchers.
In this sense, according to the investigation carried out by the cybersecurity company, it is an attack that deploys, on the one hand, the cryptocurrency thief GreetingGhoul and, on the other hand, the access trojan remote (RAT) Remcos.
The attack is initiated when a user unknowingly opens a malicious file with PIF extension, that it can be attached to an email, and that it is a program information document. That is, it contains the information necessary for the Windows operating system to execute its content.
Once this malicious ‘software’ is opened, the first phase of attackwhich uses a Windows binary dllthis is a library that contains code and data, but modified to run a ‘shellcode’.
This ‘shellcode’, which is the code used to execute a malicious activity on the victim’s computer, download a PNG image that includes or malicious payload, which is launched in a later phase of the process.
At this point, as Kaspersky has learned, DoubleFinger logs up to five phases to programming GreetingGhoulthus managing to activate its use every day at a specific time on the victim’s device.
Thus, with GreetingGhoul up and running, proceed to steal cryptocurrency credentials using two components. On the one hand MS WebView2which is based on the creating overlays in wallet interfaces of cryptocurrency of the victim. Second, a service that steals confidential information, that is, the password recovery keys or phrases. With all this, cybercriminals gain access to cryptocurrencies.
Moreover, Kaspersky has detailed that cybercriminals also use DoubleFinger to deploy the Remcos RAT remote access Trojan, which malicious actors they usually use for their attacks against companies and organizations.
Specifically, the ‘shellcode’ of this Trojan has steganography capabilities -the ability to hide messages within messages- and uses Windows COM interfaces to carry out a silent execution, so its detection becomes more complex.
PROTECTION OF CRYPTOCURRENCIES
As explained by the principal security analyst at Kaspersky’s GReAT, Sergey Lozhkin, who belongs to the group of researchers who discovered this new DoubleFinger threat, protection against this type of attack of crypto wallets “is the responsibility of the wallet providersthe people and the cryptocurrency community in general”.
Based on this, he has warned that if users are “alert, informed and solid security measures are implemented” users can manage to mitigate these “valuable digital assets”.
Within this framework, Kaspersky has provided some recommendations in order to keep crypto assets safe. First, he has highlighted the importance of buy wallets only from official sources and, in addition, he has pointed out that with the ‘hardware wallets’ it will never be necessary to enter the seed phrase in the computer.
In case of buying a ‘hardware wallet’, users must also Check that it has not been tampered with. In fact, any trace of glue, scratch or foreign component could be an indication that it has been handled previously. Another measure to take into account is check the ‘firmware’in addition to implementing difficult-to-crack passwords.