Warning about the action of DoubleFinger malware. A new campaign of multi-stage attacks on cryptowallets in Europe, the United States and Latin America has been discovered by Kaspersky. This attack uses the DoubleFinger loader, a complex crimeware that implements the cryptocurrency stealer GreetingGhoul and the Remote Access Trojan (RAT) Remcos. Kaspersky’s analysis highlights a high level of expertise and advanced techniques used by cybercriminals in this ever-evolving threat landscape.
Advanced skills and techniques
As Kaspersky’s investigation shows, the DoubleFinger multi-stage loader initiates its attacks when the victim opens inadvertently a malicious PIF attachment contained in an email. This action causes the first level of the loader to run. It is a modified Windows DLL binary, followed by the execution of malicious shellcode. It then downloads a PNG image containing a playload to launch later in the attack.
Kaspersky raises the alarm
In total DoubleFinger requires five levels in order to carry out a scheduled operation which foresees the execution of the GreetingGhoul every day at a pre-established time. Afterward, it downloads another PNG file, which is decrypted and executed. GreetingGhoul is a stealer designed to steal cryptocurrency related credentials. It consists of two components. The former uses MS WebView2 to create overlays on cryptocurrency wallet interfaces. While the latter is designed to detect cryptocurrency wallet apps and steal sensitive information, such as keys, recovery phrases, and so on.
How the GreetingGhoul stealer works
In addition to the GreetingGhoul stealer, Kaspersky also found examples of DoubleFinger they downloaded Remcos RAT. Often used by cybercriminals for targeted attacks against businesses and organizations. The shellcode-like multi-stage loader with steganography capabilities, the use of Windows COM interfaces for hidden execution. In addition to the implementation of process doppelgänging for remote process injection, they point to well-crafted and complex crimeware.
The popularity of cryptocurrencies is growing
Sergey Lozhkin, Lead Security Researcher del GReAT di Kaspersky
As the value and popularity of cryptocurrencies continues to grow, so does the interest of cybercriminals. The group responsible for the DoubleFinger loader and the GreetingGhoul malware does distinguishes to be a sophisticated actor with advanced skills in crimeware development. The security of cryptocurrency wallets is a shared responsibility between wallet providers, individual users and the entire cryptocurrency community. To mitigate risk and ensure the protection of our digital assets, it is important to always pay attention. Also implement effective security measures and be informed about the latest threats.
How investments are protected
To protect your cryptocurrency investments, Kaspersky recommends:
Acquire hardware wallets only from official and reliable sources, such as the manufacturer’s website or authorized resellers. In hardware wallets it is important to never upload your recovery seed to your computer, as no vendor will ever require it.
Prima before using your new hardware wallet, it is a good idea to inspect it for signs of tampering such as scratches, glue, or mismatched components. Kaspersky raises the alarm: DoubleFinger malware in action
To verify that the firmware is legitimate and up to date, you can consult the manufacturer’s website to find out which version is the most recent.
To protect and securely store the recovery phrase for your hardware wallet, with a reliable security solution like Kaspersky Premium.
If the wallet hardware requires a password, use a strong and unique one. Avoid using easily guessable passwords or reusing passwords from other accounts.