The new multi-stage loader named DoubleFinger has been observed giving cryptocurrency thieves nicknamed GreetingGhoul in follow-up attacks targeting users in Europe, US, and Latin America.
“DoubleFinger is implemented on a target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first DoubleFinger loader stage,” Kaspersky researcher Sergey Lozhkin said in Monday’s report.
The starting point of attack is a modified version of espexe.exe – which refers to the Microsoft Windows Economical Service Provider application – which is engineered to execute the shell code responsible for fetching PNG image files from the image hosting service Imgur.
The image uses steganographic deception to hide the encrypted payload triggering a four-step compromise chain that ultimately culminates in the execution of the GreetingGhoul thief on the infected host.
An important aspect of GreetingGhoul is its usage Microsoft Edge WebView 2 to create fake overlays over legitimate cryptocurrency wallets to suck up credentials entered by unsuspecting users.
DoubleFinger, apart from dropping GreetingGhoul, is also seen delivering Remcos RAT, a commercial trojan that has been widely used by threat actors to attack European and Ukrainian entities in recent months.
The analysis “revealed a high level of sophistication and skill in the development of malicious tools, similar to advanced persistent threats (APTs),” Lozhkin noted.
“A multi-stage shellcode style loader with steganography capabilities, use of the Windows COM interface for silent execution, and deployment doppelgänging process for injection into remote processes all lead to a well-crafted and complex crime rig.”