Cybercriminals have added a new malware loader called DoubleFinger to their arsenal for stealing cryptocurrency and business information. This multi-stage malware loader is being used in a campaign targeting entities in Europe, the U.S., and Latin America. The campaign uses steganography to avoid the detection of malware.
More in details
Researchers attribute the campaign to Russian-speaking actors.
The infection chain begins with a phishing email containing a malicious PIF file.
When the victim clicks on the file, it triggers a chain reaction that leads to the download of DoubleFinger in the first stage.
The malware loader drops GreetingGhoul in the secondary stage, which is a novel stealer designed to siphon cryptocurrency credentials.
In some cases, DoubleFinger has been found dropping Remcos RAT alongside GreetingGhoul on victims’ systems.
About GreetingGhoul
GreetingGhoul comprises two major components that work together to steal cryptocurrency credentials.
One component uses MS WebView2 to create overlays on cryptocurrency wallet interfaces.
The other one detects cryptocurrency wallet apps and steals sensitive information.
Conclusion
Researchers indicate that the use of DoubleFinger loader and GreetingGhoul malware to target cryptocurrency wallets reveals a high level of sophistication from the cybercriminals. Additionally, the attackers were found using different tactics such as Windows COM interfaces, steganography, and process doppelganging to launch stealthy attacks. To protect themselves, organizations must look at the TTPs and IOCs associated with the malware and threat actors to understand the attack patterns and build the right detection measures.