A novel multi-stage loader termed DoubleFinger has been noticed providing a cryptocurrency stealer dubbed GreetingGhoul in what is an advanced attack focusing on people in Europe, the U.S., and Latin The us.
“DoubleFinger is deployed on the goal machine, when the victim opens a destructive PIF attachment in an email information, eventually executing the initial of DoubleFinger’s loader phases,” Kaspersky researcher Sergey Lozhkin claimed in a Monday report.
The setting up position of the attacks is a modified model of espexe.exe – which refers to Microsoft Windows Inexpensive Assistance Company software – which is engineered to execute shellcode responsible for retrieving a PNG image file from the picture hosting provider Imgur.
The graphic employs steganographic trickery to conceal an encrypted payload that triggers a four-phase compromise chain which sooner or later culminates in the execution of the GreetingGhoul stealer on the contaminated host.
A notable aspect of GreetingGhoul is its use of Microsoft Edge WebView2 to create counterfeit overlays on prime of legit cryptocurrency wallets to siphon qualifications entered by unsuspecting customers.
DoubleFinger, in addition to dropping GreetingGhoul, has also been spotted providing Remcos RAT, a industrial trojan that has been extensively utilised by danger actors to strike European and Ukrainian entities in recent months.
The assessment “reveals a higher degree of sophistication and ability in crimeware enhancement, akin to superior persistent threats (APTs),” Lozhkin observed.
“The multi-staged, shellcode-model loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of process doppelgänging for injection into remote processes all stage to perfectly-crafted and intricate crimeware.”
Uncovered this article attention-grabbing? Stick to us on Twitter and LinkedIn to read much more unique articles we submit.
Some parts of this article are sourced from:
thehackernews.com