A novel multi-stage loader referred to as DoubleFinger has been noticed delivering a cryptocurrency stealer dubbed GreetingGhoul in what’s a complicated assault focusing on customers in Europe, the U.S., and Latin America.
“DoubleFinger is deployed on the goal machine, when the sufferer opens a malicious PIF attachment in an e-mail message, in the end executing the primary of DoubleFinger’s loader levels,” Kaspersky researcher Sergey Lozhkin said in a Monday report.
The place to begin of the assaults is a modified model of espexe.exe – which refers to Microsoft Home windows Economical Service Supplier utility – that is engineered to execute shellcode answerable for retrieving a PNG picture file from the picture internet hosting service Imgur.
The picture employs steganographic trickery to hide an encrypted payload that triggers a four-stage compromise chain which finally culminates within the execution of the GreetingGhoul stealer on the contaminated host.
A notable side of GreetingGhoul is its use of Microsoft Edge WebView2 to create counterfeit overlays on high of official cryptocurrency wallets to siphon credentials entered by unsuspecting customers.
DoubleFinger, along with dropping GreetingGhoul, has additionally been noticed delivering Remcos RAT, a industrial trojan that has been broadly utilized by risk actors to strike European and Ukrainian entities in current months.
The evaluation “reveals a excessive stage of sophistication and ability in crimeware improvement, akin to superior persistent threats (APTs),” Lozhkin famous.
“The multi-staged, shellcode-style loader with steganographic capabilities, the usage of Home windows COM interfaces for stealthy execution, and the implementation of process doppelgänging for injection into distant processes all level to well-crafted and sophisticated crimeware.”