Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer

2023-06-13 15:31

A novel multi-stage loader called DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what's an advanced attack targeting users in Europe, the U.S., and Latin America.

"DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages," Kaspersky researcher Sergey Lozhkin said in a Monday report.

Exe - which refers to Microsoft Windows Economical Service Provider application - that's engineered to execute shellcode responsible for retrieving a PNG image file from the image hosting service Imgur.

The image employs steganographic trickery to conceal an encrypted payload that triggers a four-stage compromise chain which eventually culminates in the execution of the GreetingGhoul stealer on the infected host.

A notable aspect of GreetingGhoul is its use of Microsoft Edge WebView2 to create counterfeit overlays on top of legitimate cryptocurrency wallets to siphon credentials entered by unsuspecting users.

DoubleFinger, in addition to dropping GreetingGhoul, has also been spotted delivering Remcos RAT, a commercial trojan that has been widely used by threat actors to strike European and Ukrainian entities in recent months.

News URL

https://thehackernews.com/2023/06/beware-new-doublefinger-loader-targets.html

#cryptocurrency #wallets