Posted on Leave a comment

Hackers Use Babadeda Crypter To Make Their Malware Fully Undetectable.

Morphisec researchers repored in this week that “this malware installer has been utilised in a number of recent campaigns to deploy information stealers, RATs, and even LockBit ransomware.” The virus dissemination attacks started in May 2021.

A new malware campaign has been identified that uses Discord channels to spread a crypter known as “Babadeda” that can evade antivirus software and perform a range of attacks against cryptocurrency, non-fungible token (NFT) and DeFi enthusiasts.

The threat actor sent fake messages to potential users on Discord channels dedicated to blockchain-based games like Mines of Dalarnia, asking people to download a programme. If a users clicks on a link in the message, they will be taken to a phishing domain that looks like the game’s official website and contains a link to a Trojan installer that contains the Babadeda crypter.

The threat actor took extended measures to ensure that the delivery chain looks legitimate even to technical users. Typically:

  • Cybersquatting – the domain names of the decoy sites look a lot like the domain names of the original sites  Threat actors will usually remove/add a letter from/to the domain name or change the top-level domain.
  • The domains are signed with a certificate (via LetsEncrypt), which enables an HTTPS connection.
  • The UI of the decoy pages is very similar to the UI of the original pages.
  • Upon clicking “Download APP”, the site will generally navigate to /downland.php, which will redirect the download request to a different domain (this makes it less likely that someone will detect a decoy site

Since one of the fake sites contained Russian language text, Morphisec linked the attacks to a threat actor from a Russian-speaking country. To date, 84 malicious domains have been found, all of which were formed between July 24, 2021, and November 17, 2021.

Finally the Researchers concluded that “Targeting bitcoin users through trusted attack channels provides its distributors with a rapidly rising pool of prospective victims, Because Babadeda masquerades as a known application with complex obfuscation once on a victim’s PC, anyone relying on signature-based malware has no way of knowing it’s there – or of stopping it from executing.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Indicators Of Compromise

FileSHA256
Installer99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff
difserver.exe358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
libfont-0.6.dllce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c
libxml3.dll0ceead2afcdee2a35dfa14e2054806231325dd291f9aa714af44a0495b677efc
menu.xml080340cb4ced8a16cad2131dc2ac89e1516d0ebe5507d91b3e8fb341bfcfe7d8

Leave a Reply