A novel multi-stage loader called DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what’s an advanced attack targeting users in Europe, the U.S., and Latin America.
“DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages,” Kaspersky researcher Sergey Lozhkin said in a Monday report.
The starting point of the attacks is a modified version of espexe.exe – which refers to Microsoft Windows Economical Service Provider application – that’s engineered to execute shellcode responsible for retrieving a PNG image file from the image hosting service Imgur.
The image employs steganographic trickery to conceal an encrypted payload that triggers a four-stage compromise chain which eventually culminates in the execution of the GreetingGhoul stealer on the infected host.
A notable aspect of GreetingGhoul is its use of Microsoft Edge WebView2 to create counterfeit overlays on top of legitimate cryptocurrency wallets to withdraw funds from unsuspecting users. Another component residing within the malware captures private keys and seed phrases.
DoubleFinger, in addition to dropping GreetingGhoul, has also been spotted delivering Remcos RAT, a commercial trojan that has been widely used by threat actors to strike European and Ukrainian entities in recent months.
The analysis “reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs),” Lozhkin noted.
“The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of process doppelgänging for injection into remote processes all point to well-crafted and complex crimeware.”
