The cryptocurrency market is now worth more than $2.5 trillion. Cybercriminals are now also tailoring malware to exploit the booming market for NFTs and crypto games. In a discovery of critical importance to anyone familiar with this space, A new campaign of malware targeting cryptocurrency enthusiasts through Discord.

Advertisements

This campaign deploys a crypter, which termed has Babadeda, is able to bypass signature based antivirus solutions. Although some variants of this crypter have been noted by other vendors.

This malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware. Even as the threat level for cryptocurrency users rises, we also know that Morphisec’s Moving Target Defense technology is capable of both seeing and stopping Babadeda.

Crypto and NFT Communities Are Prime Targets, many of the recent infections we have seen appear to be related to a sophisticated campaign that exclusively targets the Crypto, NFT, and DeFi communities.

The vast majority of NFT and crypto communities are based on Discord channels. Discord channels are publicly accessible and allow users to send private messages to one another within a channel.

A threat actor took advantage of these features in order to phish victims. The threat actor sent users a private message inviting them to download a related application that would supposedly grant the user access to new features and/or additional benefits. Because the actor created a Discord bot account on the official company discord channel, they were able to successfully impersonate the channel’s official account.

Advertisements

Below is an example of a phishing message that targeted users of “Mines of Dalarna”, a PC game built on the blockchain.

Cryto blog

If a user clicks on the URL within the message, it will direct them to a decoy site. There, the user will be encouraged to download a malicious installer that embeds the Crypter with the payload.

unnamed-1

The threat actor took extended measures to ensure that the delivery chain looks legitimate even to technical users. Typically:

  • Cybersquatting – the domain names of the decoy sites look a lot like the domain names of the original sites  Threat actors will usually remove/add a letter from/to the domain name or change the top-level domain.
  • The domains are signed with a certificate, which enables an HTTPS connection.
  • The UI of the decoy pages is very similar to the UI of the original pages.
  • Upon clicking “Download APP”, the site will generally navigate to /downland.php, which will redirect the download request to a different domain.

On one of these decoy sites, it’s been noticed an HTML object written in Russian. This suggests that the threat actor’s origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English

Advertisements

Indicators of Compromise

  • 0098b2c38a69132bfde02d329d6c1c6e2b529d32d7b775a2ac78a369c0d10853
  • 0115ba0f26a7b7ca3748699f782538fa761f7be4845a9dc56a679acea7b76cd3
  • 062f019515bff366fcbf49cca3f776c21e2beb81c043a45eea81044a9391fd97
  • 112282b873bdbeb5614fc8658934a99d666ba06c4e2840a21cd4458b426a4cad
  • 120213353ac7bd835086e081fb85dfa4959f11d20466fd05789ded3bff30bb11
  • 1252c9103805e02324d2aecb5219e6a071c77b72477eba961621cb09a2138972
  • 140d9a4a2ec5507edf7db37dcc58f2176a0e704e8f91c28a60a7f3773e85e1aa
  • 14da3566bc9f211528c1824330c46789396447c83c3c830bb91490d873025df8
  • 18c01e1f6e0185752dbf8c9352d74ade56ac40d25ae701d4a5954b74d0c7aeea
  • 196ec622eb7d9420b1c04b3856467abeb3ca565d841f34c3c9a628afc10775c8
  • 214d6681f5d82d4fa43e7a8676935ef01ddab8d0847eb3018530aedffe7ebb55
  • 2e5455e268cf12ebc0213aa5dacb2239358c316dda3ec0f99d0f36074f41fb09
  • 2fc8dedf82997894bb31a0eca96ae3c589863ec9bf4d1e2af0a84f2e9c3ef301
  • 3270599801099d3b5399eb898f79d7b7ec0d728c71d5177244b8110757365ade
  • 39b4dc69dd29011135732a881152f99dc19310cb906b7255a3e9ef367258094d
  • 3c844e66f0dafdced0861a8e2ff54fd762ba170bf5082fb2c38cdbbac5a7fecb
  • 3e52c251dc8683e0f374bcbea27b4b700c05dc39db13336859acbbd32590fe7c
  • 3e6a29c04270a4b62375946fdb4c392a1c9b3f64ef391f85bdd67cb78426889f
  • 44e00bef4b6d3f03a845208b925c129a5fe1b9ef6ed8cd27144c5e94176aaa6e
  • 462f7543326630d209b6433936f0c54f8920d6b5505e88d802ee060320ea8106
  • 4e6eed44594054ea42f9860c1e53744649a319788e2cb7f1f624e435cbdec43d
  • 54391ff27b632a36430889dda51cfa46b694badcae2f0ce952065642c94d89df
  • 6342d9c9e087945651b11cec4903f083a20d31182e0be5b2b6030df0a980ff68
  • 65363debbbb9a691838e823c34807a9770db30c2af616c5574231af2b16d6aef
  • 6e4d56a438062210ba8ca68dee690c1692960ff36936c96586f74ee194e1c821
  • 6f247a74aa62fea0577da869fda841170ce6f1fe0e1b9f3b0d8172d336bb7dc6
  • 71d0c5b5916cc5f91370f42fbfd249795e7c40526ae204becdd20fe453b53e8d
  • 72df0397893e1ac981063fbcc0ad048543ba7143ba824f2bb0aa5dfb61538ce6
  • 7c8242812137aad072fe1cb78d49d01187b869d43ebcfcd87eb590c1bc9f1246
  • 7e827e1981d2ccaec16a5b646976b0d492d555a20b9ba5dd4ba0d605dfcab2f7
  • 86b1cf4e6952db195842809ffd7e88e5fdaca8b2b2c0005e995d34cbe9d157ad
  • 8b9120fc400510de52fb5c6689f403e5c0aaba3ff58e2ee114286c2cf09615b5
  • 8ce8c448b5958da3c59874594de428b783116d8c1cf440ab804633799d88af8e
  • 90faf9b85d96a09cb689be3a52669a58df2e9ea53b150a97d05de641e624f634
  • 95d226710f37a870a338344afac6350b48c5d70c7ac8518c42f694eb0f6aa7c5
  • 9b132e1d883c4f513d4ac3a5735a28a1917cfde837ee4a4b632a66cce5aa8be2
  • a2545370b390e52376d12776152aff9285b9b3fe6610d2f8dd24b11ccb14c5b3
  • a2e090192bf0b3b00f5bbef0b81858bc17861fedd82e93f0ab6d60777ca6820e
  • af0c213a2cfb62e6a9ce788c3860c627e035401b75df7f60eb64d4f4bc196aa2
  • b5fe6db30b741f515df94238c8d1a3c51a84fe72f218751c86a254801c3233ee
  • b6dc8341fd38dacb7a2a38a14a21afbab8e7e3f31f2fd29f0bcd7d4eb83e203c
  • bcaaab0cd2178acdf025c7f23f10ab01906a99aca5d07e3a7e261928f8f91695
  • c21e2be7324afb67f1e5cf9fbc95dc346db2ec62d9d8db7b0da9377a00346f41
  • c97893d936b5e1203fb926e7ab612ffd488578e9791f07be4a6eabc83645fb5b
  • ca70f7b046f5909f0134a1c465fda3794344f45055ba2dfa802623bd326fe5b6
  • d360daf106314561e9ec57075dd4f544ad52680678a644e186758650a405b765
  • d548c2e3479c6c7a20ffa8a8402aa00c45aaef24102daf5c94c54a8a6013f370
  • d76e7a14ab20d3f28de1ecef803d8b1629ed077495db5ec7b7f5828ed33c684e
  • de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4
  • e5f55a5ecd7315c9e028738ced66d42852569dd061e15610a054c2121c9ed4d9
  • e99d32952bda84f32425681229ec544849156e479b7247e3e480f3a23a39c915
  • f24492ceab91f70c3dd3c5040184dae3bc38804c872ae948ed1ee6906a890b16
  • fb04bc486bf7b6574b5b7caf1ed4f1a21e9e7463adf312219f767a58e8fb2be1
  • fde7bd78e2085f364e0eb145c77b57b8bfa5bacf6a3e6eaed4b9e3a97c065a80
  • fde8ca7c729a25e723a3738a1b5520f29ef2100ba2d9a2739aa30176b039f511