Cryptocurrency wallets have been targeted by a new malware dubbed “DoubleFinger.”
The findings come from security experts at Kaspersky, who discussed the threat in a blog post published on Monday.
“As the value and popularity of cryptocurrencies continue to rise, so does the interest of cybercriminals,” commented Sergey Lozhkin, a lead security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
The malware discovered by Kaspersky employs a multistage attack method that resembles an advanced persistent threat (APT). It starts with a malicious email attachment containing a PIF file, which triggers a chain of events.
“The group behind the DoubleFinger loader and GreetingGhoul malware stands out as a sophisticated actor with high skills in crimeware development,” Lozhkin added.
In the first stage, DoubleFinger downloads encrypted components from the image-sharing platform Imgur.com disguised as a PNG file. These components include a loader for the second stage, a legitimate java.exe file and another PNG file for later stages.
DoubleFinger then executes its loader, bypassing security software, and launches subsequent stages.
In the fourth stage, DoubleFinger utilizes a technique called Process Doppelgänging to replace a legitimate process with a modified one, housing the fifth-stage payload.
Finally, the GreetingGhoul crypto stealer is installed and scheduled to run daily, targeting the victim’s crypto wallets. According to Kaspersky’s technical write-up, GreetingGhoul consists of two parts.
The first detects crypto-wallet applications in the system and steals valuable data such as private keys and seed phrases. The second overlays the interface of cryptocurrency applications, intercepting user input and enabling cyber-criminals to control and withdraw funds.
Some variations of DoubleFinger install the notorious remote access Trojan Remcos, granting cyber-criminals complete control of the infected system.
To protect crypto wallets, Kaspersky recommends vigilance against scams, diversifying wallet usage, being aware of cold wallet vulnerabilities and purchasing hardware wallets from official sources, among others.
“Protecting crypto wallets is a shared responsibility between the wallet providers, individuals, and the broader cryptocurrency community,” Lozhkin added.
“By staying vigilant, implementing strong security measures, and staying informed about the latest threats, we can mitigate the risks and ensure the safety of our valuable digital assets.”
Kaspersky’s blog post comes days after two Russian nationals were charged with stealing millions from defunct crypto exchange Mt Gox.