A novel multi-stage loader named DoubleFinger has been noticed providing a cryptocurrency stealer dubbed GreetingGhoul in what’s an advanced attack concentrating on customers in Europe, the U.S., and Latin The usa.
“DoubleFinger is deployed on the concentrate on device, when the victim opens a malicious PIF attachment in an email message, finally executing the initially of DoubleFinger’s loader levels,” Kaspersky researcher Sergey Lozhkin explained in a Monday report.
The commencing stage of the attacks is a modified model of espexe.exe – which refers to Microsoft Windows Economical Assistance Service provider application – that’s engineered to execute shellcode responsible for retrieving a PNG impression file from the impression hosting service Imgur.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The graphic employs steganographic trickery to conceal an encrypted payload that triggers a 4-stage compromise chain which at some point culminates in the execution of the GreetingGhoul stealer on the contaminated host.
A notable element of GreetingGhoul is its use of Microsoft Edge WebView2 to build counterfeit overlays on top rated of reputable cryptocurrency wallets to siphon credentials entered by unsuspecting consumers.
DoubleFinger, in addition to dropping GreetingGhoul, has also been noticed delivering Remcos RAT, a professional trojan that has been broadly used by threat actors to strike European and Ukrainian entities in modern months.
The assessment “reveals a significant amount of sophistication and talent in crimeware enhancement, akin to highly developed persistent threats (APTs),” Lozhkin observed.
“The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of method doppelgänging for injection into distant processes all level to effectively-crafted and intricate crimeware.”
Uncovered this article interesting? Follow us on Twitter and LinkedIn to examine much more unique content material we write-up.
Some elements of this short article are sourced from:
thehackernews.com