A group of Russian-language actors has recently launched a sophisticated attack utilizing a new malicious loader and steganography, according to research by Kaspersky published on June 12. The multi-stage campaign primarily targets organizations in Europe, the United States, and Latin America. The attack begins with a phishing email which if clicked, leads to the download of DoubleFinger, a multistage loader that drops a PNG image containing malicious code onto the victim’s computer. The image utilizes steganography, a technique that involves hiding secret information within non-secret data, and contains an encrypted payload of malware to steal cryptocurrency or business account information.
GreetingGhoul, a novel infostealer designed specifically to siphon off cryptocurrency credentials in DoubleFinger’s attack, is its main purpose. However, the Kaspersky researchers said they observed DoubleFinger dropping Remcos RAT, a popular tool among financially motivated cybercriminals, giving attackers access to enterprise networks and making it difficult for businesses to stop the malware and its follow-on attacks.
Russian-speaking artifacts within the code suggest that the attackers are from a Commonwealth of Independent States nation. However, researchers clarified that “the pieces of Russian text and the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space.”
Stenography, which is the art of disguising messages inside an image, is utilized in this attack. At the end of the attack chain is GreetingGhoul, an infostealer that detects victims’ cryptocurrency wallet apps in order to steal the sensitive credentials associated with them. GreetingGhoul uses MS WebView2, a tool for embedding web code into desktop apps, to overlay phishing pages on top of legitimate crypto-wallet interfaces. With banking Trojans of the past, similar to GreetingGhoul, users unwittingly typed their sensitive wallet credentials into attacker-controlled fields.
An image-containing overlay, for example, resembles Ledger hardware wallets, the world’s most popular vendor for cryptocurrency, and prompts victims to input their wallet’s seed phrase, to obtain unfettered access to the wallet contents. Cryptocurrency investors have been frequently reminded never to hand over their seed phrases to anyone to access their wallets.
This campaign requires targeted and individualized attacks that require some degree of handwork. Companies can install security measures and use backup centers to secure their data if they discover any indication of such an attack. The International Organization of Securities Commissions (IOSCO) and the World Economic Forum (WEF) have urged regulators to clarify and enforce regulatory requirements for digital asset services providers (VASPs) to protect against these types of attacks. The IOSCO believes that applying worldwide rules and regulations to VASPs could help prevent attacks on digital assets.