Official forum for Utopia Community
You are not logged in.
A cutting-edge attack targeting users in Europe and the U.S. has been seen to deliver GreetingGhoul, a cryptocurrency stealer, using a novel multi-stage loader known as DoubleFinger. US, as well as Latin America. According to a report released on Monday by Kaspersky researcher Sergey Lozhkin, "DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages.".
A modified version of espexe serves as the foundation for the attacks. exe, or Microsoft Windows Economical Service Provider application, is designed to run shellcode responsible for obtaining a PNG image file from the image hosting service Imgur.
An encrypted payload that starts a four-stage compromise chain and ultimately causes the execution of the GreetingGhoul stealer on the infected host is hidden by the image's use of steganographic deception.
GreetingGhoul is notable for its use of Microsoft Edge WebView2 to build fake overlays on top of legitimate cryptocurrency wallets in order to steal credentials entered by unwary users.
In addition to dropping GreetingGhoul, DoubleFinger has also been seen delivering Remcos RAT, a commercial trojan that threat actors have frequently used to attack European and Ukrainian targets in recent months.
According to Lozhkin, the analysis "discloses a high level of sophistication and skill in crimeware development, comparable to advanced persistent threats (APTs)".
"The implementation of process doppelgänging for injection into remote processes, the multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and these all point to well-crafted and complex crimeware. ".
Offline