September 29, 2023

The cryptocurrency market is now worth more than $2.5 trillion. Cybercriminals are now also tailoring malware to exploit the booming market for NFTs and crypto games. In a discovery of critical importance to anyone familiar with this space, A new campaign of malware targeting cryptocurrency enthusiasts through Discord.

Advertisements

This campaign deploys a crypter, which termed has Babadeda, is able to bypass signature based antivirus solutions. Although some variants of this crypter have been noted by other vendors.

This malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware. Even as the threat level for cryptocurrency users rises, we also know that Morphisec’s Moving Target Defense technology is capable of both seeing and stopping Babadeda.

Crypto and NFT Communities Are Prime Targets, many of the recent infections we have seen appear to be related to a sophisticated campaign that exclusively targets the Crypto, NFT, and DeFi communities.

The vast majority of NFT and crypto communities are based on Discord channels. Discord channels are publicly accessible and allow users to send private messages to one another within a channel.

A threat actor took advantage of these features in order to phish victims. The threat actor sent users a private message inviting them to download a related application that would supposedly grant the user access to new features and/or additional benefits. Because the actor created a Discord bot account on the official company discord channel, they were able to successfully impersonate the channel’s official account.

Advertisements

Below is an example of a phishing message that targeted users of “Mines of Dalarna”, a PC game built on the blockchain.

Cryto blog

If a user clicks on the URL within the message, it will direct them to a decoy site. There, the user will be encouraged to download a malicious installer that embeds the Crypter with the payload.

unnamed-1

The threat actor took extended measures to ensure that the delivery chain looks legitimate even to technical users. Typically:

  • Cybersquatting – the domain names of the decoy sites look a lot like the domain names of the original sites  Threat actors will usually remove/add a letter from/to the domain name or change the top-level domain.
  • The domains are signed with a certificate, which enables an HTTPS connection.
  • The UI of the decoy pages is very similar to the UI of the original pages.
  • Upon clicking “Download APP”, the site will generally navigate to /downland.php, which will redirect the download request to a different domain.

On one of these decoy sites, it’s been noticed an HTML object written in Russian. This suggests that the threat actor’s origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English

Advertisements

Indicators of Compromise

  • 0098b2c38a69132bfde02d329d6c1c6e2b529d32d7b775a2ac78a369c0d10853
  • 0115ba0f26a7b7ca3748699f782538fa761f7be4845a9dc56a679acea7b76cd3
  • 062f019515bff366fcbf49cca3f776c21e2beb81c043a45eea81044a9391fd97
  • 112282b873bdbeb5614fc8658934a99d666ba06c4e2840a21cd4458b426a4cad
  • 120213353ac7bd835086e081fb85dfa4959f11d20466fd05789ded3bff30bb11
  • 1252c9103805e02324d2aecb5219e6a071c77b72477eba961621cb09a2138972
  • 140d9a4a2ec5507edf7db37dcc58f2176a0e704e8f91c28a60a7f3773e85e1aa
  • 14da3566bc9f211528c1824330c46789396447c83c3c830bb91490d873025df8
  • 18c01e1f6e0185752dbf8c9352d74ade56ac40d25ae701d4a5954b74d0c7aeea
  • 196ec622eb7d9420b1c04b3856467abeb3ca565d841f34c3c9a628afc10775c8
  • 214d6681f5d82d4fa43e7a8676935ef01ddab8d0847eb3018530aedffe7ebb55
  • 2e5455e268cf12ebc0213aa5dacb2239358c316dda3ec0f99d0f36074f41fb09
  • 2fc8dedf82997894bb31a0eca96ae3c589863ec9bf4d1e2af0a84f2e9c3ef301
  • 3270599801099d3b5399eb898f79d7b7ec0d728c71d5177244b8110757365ade
  • 39b4dc69dd29011135732a881152f99dc19310cb906b7255a3e9ef367258094d
  • 3c844e66f0dafdced0861a8e2ff54fd762ba170bf5082fb2c38cdbbac5a7fecb
  • 3e52c251dc8683e0f374bcbea27b4b700c05dc39db13336859acbbd32590fe7c
  • 3e6a29c04270a4b62375946fdb4c392a1c9b3f64ef391f85bdd67cb78426889f
  • 44e00bef4b6d3f03a845208b925c129a5fe1b9ef6ed8cd27144c5e94176aaa6e
  • 462f7543326630d209b6433936f0c54f8920d6b5505e88d802ee060320ea8106
  • 4e6eed44594054ea42f9860c1e53744649a319788e2cb7f1f624e435cbdec43d
  • 54391ff27b632a36430889dda51cfa46b694badcae2f0ce952065642c94d89df
  • 6342d9c9e087945651b11cec4903f083a20d31182e0be5b2b6030df0a980ff68
  • 65363debbbb9a691838e823c34807a9770db30c2af616c5574231af2b16d6aef
  • 6e4d56a438062210ba8ca68dee690c1692960ff36936c96586f74ee194e1c821
  • 6f247a74aa62fea0577da869fda841170ce6f1fe0e1b9f3b0d8172d336bb7dc6
  • 71d0c5b5916cc5f91370f42fbfd249795e7c40526ae204becdd20fe453b53e8d
  • 72df0397893e1ac981063fbcc0ad048543ba7143ba824f2bb0aa5dfb61538ce6
  • 7c8242812137aad072fe1cb78d49d01187b869d43ebcfcd87eb590c1bc9f1246
  • 7e827e1981d2ccaec16a5b646976b0d492d555a20b9ba5dd4ba0d605dfcab2f7
  • 86b1cf4e6952db195842809ffd7e88e5fdaca8b2b2c0005e995d34cbe9d157ad
  • 8b9120fc400510de52fb5c6689f403e5c0aaba3ff58e2ee114286c2cf09615b5
  • 8ce8c448b5958da3c59874594de428b783116d8c1cf440ab804633799d88af8e
  • 90faf9b85d96a09cb689be3a52669a58df2e9ea53b150a97d05de641e624f634
  • 95d226710f37a870a338344afac6350b48c5d70c7ac8518c42f694eb0f6aa7c5
  • 9b132e1d883c4f513d4ac3a5735a28a1917cfde837ee4a4b632a66cce5aa8be2
  • a2545370b390e52376d12776152aff9285b9b3fe6610d2f8dd24b11ccb14c5b3
  • a2e090192bf0b3b00f5bbef0b81858bc17861fedd82e93f0ab6d60777ca6820e
  • af0c213a2cfb62e6a9ce788c3860c627e035401b75df7f60eb64d4f4bc196aa2
  • b5fe6db30b741f515df94238c8d1a3c51a84fe72f218751c86a254801c3233ee
  • b6dc8341fd38dacb7a2a38a14a21afbab8e7e3f31f2fd29f0bcd7d4eb83e203c
  • bcaaab0cd2178acdf025c7f23f10ab01906a99aca5d07e3a7e261928f8f91695
  • c21e2be7324afb67f1e5cf9fbc95dc346db2ec62d9d8db7b0da9377a00346f41
  • c97893d936b5e1203fb926e7ab612ffd488578e9791f07be4a6eabc83645fb5b
  • ca70f7b046f5909f0134a1c465fda3794344f45055ba2dfa802623bd326fe5b6
  • d360daf106314561e9ec57075dd4f544ad52680678a644e186758650a405b765
  • d548c2e3479c6c7a20ffa8a8402aa00c45aaef24102daf5c94c54a8a6013f370
  • d76e7a14ab20d3f28de1ecef803d8b1629ed077495db5ec7b7f5828ed33c684e
  • de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4
  • e5f55a5ecd7315c9e028738ced66d42852569dd061e15610a054c2121c9ed4d9
  • e99d32952bda84f32425681229ec544849156e479b7247e3e480f3a23a39c915
  • f24492ceab91f70c3dd3c5040184dae3bc38804c872ae948ed1ee6906a890b16
  • fb04bc486bf7b6574b5b7caf1ed4f1a21e9e7463adf312219f767a58e8fb2be1
  • fde7bd78e2085f364e0eb145c77b57b8bfa5bacf6a3e6eaed4b9e3a97c065a80
  • fde8ca7c729a25e723a3738a1b5520f29ef2100ba2d9a2739aa30176b039f511
Tags:

Leave a Reply

You may have missed

Google fixes fifth Zeroday bug in Chrome

September 28, 2023

OpenSea NFT suffers a Breach

September 28, 2023

WordPress Simple Membership Plugin Vulnerabilities

September 28, 2023

Jetbrains TeamCity RCE Vulnerability

September 27, 2023

Heap Buffer Overflow Bug in libwebp Library -CVE-2023-5129

September 27, 2023 2

Symantec Collaborates with Google Cloud Security AI

September 27, 2023 2
%d bloggers like this: