A new multi-stage loader called double finger A sophisticated attack targeting users in Europe, the United States, and Latin America was observed delivering a cryptocurrency thief dubbed GreetingGhoul.
“When a victim opens a malicious PIF attachment within an email message, DoubleFinger is deployed on the target machine, ultimately executing DoubleFinger’s first loader stage,” said Kaspersky researcher Sergey Lozhkin. says. Said in Monday’s report.
The starting point of the attack is Espex.exe This refers to the Microsoft Windows Economic Service Provider application. It is designed to run shellcode that retrieves PNG image files from the image hosting service Imgur.
This image utilizes steganography to hide an encrypted payload, triggering a four-step compromise chain and ultimately running the GreetingGhoul stealer on the infected host.
The notable thing about GreetingGhoul is that Microsoft Edge WebView2 Creating fake overlays on top of legitimate cryptocurrency wallets and siphoning credentials entered by unsuspecting users.
In addition to dropping GreetingGhoul, DoubleFinger has also been found to distribute Remcos RAT, a commercial Trojan widely used by threat actors to attack organizations in Europe and Ukraine in recent months. It has been.
The analysis “revealed advanced techniques and skills in crimeware development similar to advanced persistent threats (APTs),” Rozkin noted.
“A multi-stage shellcode-style loader with steganography, use of Windows COM interfaces for stealth execution, and process doppelgänging Any injection into a remote process represents a complex, well-crafted crimeware. ”