A new malware campaign has been discovered targeting cryptocurrency, non-fungible token (NFT), and DeFi aficionados through Discord channels to deploy a crypter named “Babadeda” that’s capable of bypassing antivirus solutions and stage a variety of attacks.

“[T]his malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware,” Morphisec researchers said in a report published this week. The malware distribution attacks are said to have commenced in May 2021.

Automatic GitHub Backups

Crypters are a type of software used by cybercriminals that can encrypt, obfuscate, and manipulate malicious code so as to appear seemingly innocuous and make it harder to detect by security programs — a holy grail for malware authors.

The infiltrations observed by Morphisec involved the threat actor sending decoy messages to prospective users on Discord channels related to blockchain-based games such as Mines of Dalarnia, urging them to download an application. Should a victim click a URL embedded within the message, the individual is directed to a phishing domain designed to resemble the game’s legitimate website and includes a link to a malicious installer containing the Babadeda crypter.

FUD crypter

Upon execution, the installer triggers an infection sequence that decodes and loads the encrypted payload, in this case BitRAT and Remcos, to harvest valuable information.

Prevent Data Breaches

Morphisec attributed the attacks to a threat actor from a Russian-speaking country, owing to the Russian language text displayed on one of the decoy sites. As many as 84 malicious domains, created between July 24, 2021, and November 17, 2021, have been identified to date.

“Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” the researchers said. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing.”


Products You May Like

Articles You May Like

FIN8 Hackers Spotted Using New ‘White Rabbit’ Ransomware in Recent Attacks
2 Suspects Charged In Shooting Death Of LAPD Officer Appear In Federal Court
US orders families of all American embassy staff in Kyiv to leave Ukraine amid fears of Russian invasion
Realme 9i Early Sale Announced, to Be Available on January 22 Ahead of First Sale
Attack on Titan Fans Agree the Newest Episode is One of the Best Ever

Leave a Reply

Your email address will not be published. Required fields are marked *