A novel multi-stage loader referred to as DoubleFinger has been noticed delivering a cryptocurrency stealer dubbed GreetingGhoul in what’s a complicated assault concentrating on customers in Europe, the U.S., and Latin America.
“DoubleFinger is deployed on the goal machine, when the sufferer opens a malicious PIF attachment in an electronic mail message, in the end executing the primary of DoubleFinger’s loader phases,” Kaspersky researcher Sergey Lozhkin mentioned in a Monday report.
The place to begin of the assaults is a modified model of espexe.exe – which refers to Microsoft Windows Economical Service Provider utility – that is engineered to execute shellcode answerable for retrieving a PNG picture file from the picture internet hosting service Imgur.
The picture employs steganographic trickery to hide an encrypted payload that triggers a four-stage compromise chain which ultimately culminates within the execution of the GreetingGhoul stealer on the contaminated host.
A notable side of GreetingGhoul is its use of Microsoft Edge WebView2 to create counterfeit overlays on prime of respectable cryptocurrency wallets to siphon credentials entered by unsuspecting customers.
DoubleFinger, along with dropping GreetingGhoul, has additionally been noticed delivering Remcos RAT, a business trojan that has been broadly used by menace actors to strike European and Ukrainian entities in current months.
The evaluation “reveals a excessive stage of sophistication and talent in crimeware growth, akin to superior persistent threats (APTs),” Lozhkin famous.
“The multi-staged, shellcode-style loader with steganographic capabilities, using Windows COM interfaces for stealthy execution, and the implementation of course of doppelgänging for injection into distant processes all level to well-crafted and sophisticated crimeware.”