Parallax, an advanced RAT that supports all Windows OS versions and functions as a MaaS, is now targeting cryptocurrency companies in a new campaign. It is using sophisticated injection techniques to hide within legitimate processes, making it difficult to detect.
Attack flow
According to Uptycs’s report, Parallax RAT functions as a multi-stage malware.
The stage one payload is a Visual C++ malware that contains executable code. It creates a copy of itself in the Windows Startup folder to maintain persistence.
It employs the process hollowing technique to inject a second-stage payload (Parallax) into a legitimate Microsoft pipanel[.]exe process.
Parallax gathers sensitive data from compromised machines such as system info, OS version, keylogging, and remote control functionality for the next stage.
It stores the encrypted data and communicates with the C2 server to exfiltrate this stolen data. It retrieves DLL dynamically through the RC4 algorithm to decrypt this data.
The malware contains a script that deletes the payload and erases any traces of its existence to make detection difficult.
Abuse of Telegram
Once the malware has been successfully injected, attackers interact with the victims by asking questions and sharing their Telegram ID via Notepad for further communication.
An analysis of Telegram chats reveals that attackers are targeting crypto companies such as investment firms, exchanges, and wallet service providers.
The mail servers of the targeted companies are searched using public sources such as DNSdumpster via their mail exchanger records. Attackers send phishing emails containing malicious files to distribute Parallax.
Wrapping up
This new Parallax RAT campaign is indicative of the trend toward MaaS and the adoption of Telegram for communication. It shows the attackers behind the MaaS model are exclusively utilizing Telegram’s alleged built-in encryption and the ability to create channels and large private groups. Crypto companies are suggested to take necessary precautions to protect systems and data from such prevalent threats.