Image: Markus Spiske (unsplash)
The appearance of a unique, multi-stage loader, known as DoubleFinger, has recently been observed. It delivers a cryptocurrency stealer, identified as GreetingGhoul, constituting an intricate attack that predominantly targets users in Europe, the U.S., and Latin America.
The deployment of DoubleFinger occurs on the victim’s machine upon the opening of a malicious PIF attachment embedded within an email message. This action triggers the first stage of DoubleFinger’s loader stages, as was reported by Kaspersky researcher, Sergey Lozhkin.
The initial point of these attacks is identified as a modified variant of espexe.exe. This title refers to the Economical Service Provider application of Microsoft Windows. It’s been meticulously designed to execute shellcode that is responsible for retrieving a PNG image file from the image hosting service, Imgur.
The PNG image uses steganographic manipulation to obscure an encrypted payload. This payload initiates a four-stage compromise chain that ultimately results in the execution of the GreetingGhoul stealer on the infiltrated host.
A noteworthy characteristic of GreetingGhoul involves its employment of Microsoft Edge WebView2. This is used to fabricate deceptive overlays on legitimate cryptocurrency wallets. This allows it to surreptitiously withdraw funds from oblivious users. Additionally, another component within the malware is designed to capture private keys and seed phrases.
The capabilities of DoubleFinger are not confined to the deployment of GreetingGhoul. It’s been identified to also deliver Remcos RAT, a commercial trojan that has seen rampant usage by threat actors aiming at European and Ukrainian entities in the recent past.
The analyses conducted by Lozhkin underscore a high level of sophistication and proficiency in the development of crimeware, comparable to advanced persistent threats (APTs).
Lozhkin added, “The multi-staged, shellcode-style loader with steganographic capabilities, the stealthy execution through the use of Windows COM interfaces, and the process doppelgänging implementation for injection into remote processes collectively suggest a complex and well-crafted crimeware.”