{"id":48418,"date":"2023-06-12T06:00:35","date_gmt":"2023-06-12T10:00:35","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=48418"},"modified":"2023-06-13T12:36:54","modified_gmt":"2023-06-13T16:36:54","slug":"doublefinger-crypto-stealer","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/doublefinger-crypto-stealer\/48418\/","title":{"rendered":"Double trouble: crypto-stealing DoubleFinger"},"content":{"rendered":"

Cryptocurrencies are under attack from all sorts of criminal schemes \u2014 from mundane Bitcoin mining scams<\/a> to grandiose cryptocurrency heists worth hundreds of millions of dollars<\/a>.<\/p>\n

For cryptocurrency owners, dangers lurk at literally every turn. Just recently we talked about fake cryptowallets<\/a> \u2014 which look and work just like real ones but eventually steal all your money. Now our experts have discovered<\/a> a brand new threat: a sophisticated attack using the DoubleFinger loader, which brings along its friends in the shape of the cryptostealer GreetingGhoul and the remote-access Trojan Remcos. But first things first..<\/p>\n

How DoubleFinger installs GreetingGhoul<\/h2>\n

Our experts noted the high technical level of the attack and its multistage nature, by which it resembles an advanced persistent threat (APT)<\/a> attack. A DoubleFinger infection starts with an email containing a malicious PIF file. Once the recipient opens the attachment, a chain of events begins, as follows:<\/p>\n

Stage 1<\/strong>. DoubleFinger executes a shellcode<\/a> that downloads a file in PNG format from the image-sharing platform Imgur.com. But it\u2019s not really an image at all: the file contains multiple DoubleFinger components in encrypted form, which are used in subsequent stages of the attack. These include a loader for use in the second stage of the attack, a legitimate java.exe file, and another PNG file to be deployed later, at the fourth stage.<\/p>\n

Stage 2<\/strong>. The DoubleFinger second-stage loader is run using the above-mentioned legitimate java.exe file, after which it executes another shellcode that downloads, decrypts and launches the third stage of DoubleFinger.<\/p>\n

Stage 3<\/strong>. At this stage, DoubleFinger performs a series of actions to bypass security software installed on the computer. Next, the loader decrypts and launches the fourth stage, which is contained in the PNG file mentioned in the first stage. Incidentally, this PNG file contains not only the malicious code but also the image that lent the malware its name:<\/p>\n

\"The<\/a>

The two fingers from which DoubleFinger got its name. (Note: some languages define a thumb as a finger, unlike in English)<\/p><\/div>\n

Stage 4<\/strong>. At this step, DoubleFinger launches the fifth stage using a technique called Process Doppelg\u00e4nging<\/a>, whereby it replaces the legitimate process with a modified one that contains the fifth-stage payload.<\/p>\n

Stage 5<\/strong>. After all the above manipulations, DoubleFinger gets down to doing what it was designed for: loading and decrypting yet another PNG file \u2014 this one containing the final payload. This is the GreetingGhoul cryptostealer, which installs itself in the system and is scheduled in Task Scheduler to run daily at a certain time.<\/p>\n

How GreetingGhoul steals cryptowallets<\/h2>\n

Once the DoubleFinger loader has done its job, GreetingGhoul comes directly into play. This malware contains two complementary components:<\/p>\n

    \n
  1. one that detects cryptowallet applications in the system and steals data of interest to the attackers (private keys and seed phrases);<\/li>\n
  2. one that overlays the interface of cryptocurrency applications and intercepts user input.<\/li>\n<\/ol>\n
    \"GreetingGhoul<\/a>

    Example of GreetingGhoul overlaying the interface of cryptowallet applications<\/p><\/div>\n

    As a result, the cybercriminals behind DoubleFinger are able to take control of the victim\u2019s cryptowallets and withdraw funds from them.<\/p>\n

    Our experts found several DoubleFinger modifications, some of which \u2014 the icing on the cake \u2014 install the quite common (in cybercriminal circles) remote access Trojan<\/a> Remcos in the infected system. Its intended purpose is right there in the name \u2014 REM<\/strong>ote CO<\/strong>ntrol & S<\/strong>urveillance. In other words, Remcos allows cybercriminals to observe all user actions and seize full control of the infected system.
    \n<\/p>\n

    How to protect your cryptowallets<\/h2>\n

    Cryptocurrencies continue to be a magnet for cybercriminals, so all cryptoinvestors need to think hard about security. Speaking of which, we recommend reading our recent post Protecting crypto investments: four key steps to safety<\/a>. Meanwhile, here\u2019s a summary of its key points:<\/p>\n