Crypto Thieves Attack Again: New Loader Steals Cryptocurrency Info via Image Spyware

Sophisticated Cyberattack Using Unique Loader and Malware-Laced PNG Image File for Stealing Cryptocurrency and Business Account Information

According to Kaspersky researchers, a new multistage cyberattack campaign has targeted entities in the United States, Europe, and Latin America using a novel loader and a malware-laced PNG image file to drop malware for stealing cryptocurrency or business account information. The attack, which bears the artifacts of Russian-language origin, deploys a double-staged loader named “DoubleFinger” that drops an image file containing malicious code on the victim’s computer.

The Attack Chain

The attack begins with a phishing email that leads to the victim clicking on the associated malicious program information file (.pif). This triggers a chain reaction leading to some malicious shellcode downloading a PNG image with embedded shellcode from imgur.com, using steganography, a technique of hiding secret information within non-secret data. The shellcode searches for a particular string in the PNG code, 0xea79a5c6, which contains an encrypted payload. At the end of this attack chain is GreetingGhoul, an infostealer that detects victims’ cryptocurrency wallet apps and steals the sensitive credentials associated with them.

Infostealer’s Unique Functioning

GreetingGhoul, the malware used in the attack, has two primary functions: It can detect victims’ cryptocurrency wallet apps and steal the sensitive credentials associated with them. GreenGhoul uses MS WebView2 – a tool for embedding web code into desktop apps – to overlay phishing pages on top of legitimate crypto-wallet interfaces. This prompts victims to enter their wallet’s seed phrase, the ultrasensitive set of 12 or 24 words that generate their private key, and grants unfettered access to all contents of the wallet. This is why cryptocurrency investors have been reminded repeatedly to never give up their seed phrases to anyone.

Russian-Speaking Artifacts in the Code

The Russian-speaking artifacts in the code suggest that the attackers belong to a Commonwealth of Independent States (CIS) nation, although the researchers have qualified that “the pieces of Russian text and the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space.”

Remcos RAT

Although the DoubleFinger loader is primarily designed for stealing cryptocurrency credentials, researchers have also observed it dropping Remcos RAT, a popular tool among financially motivated cybercriminals. Once the Remcos RAT infects an enterprise network, stopping the malware and its follow-on attacks can be challenging for businesses.

Editorial and Advice

It is difficult to prevent such a sophisticated attack using novel techniques like steganography. However, users should be cautious while opening emails from unknown sources or any emails that look suspicious. They should avoid clicking on any link or attachment until they have thoroughly verified the authenticity of the email. Reducing risk by securing passwords and implementing multi-factor authentication can lower the chances of falling prey to such attacks. Additionally, users should be more vigilant when transferring cryptocurrencies.

The use of novel and sophisticated techniques by cybercriminals to steal cryptocurrency will continue to evolve. Therefore, it is essential to have a comprehensive and holistic approach to cybersecurity to mitigate these threats and prevent such attacks. It is essential to stay vigilant and keep updating security measures to keep ahead of the latest threats.