Morphisec researchers repored in this week that “this malware installer has been utilised in a number of recent campaigns to deploy information stealers, RATs, and even LockBit ransomware.” The virus dissemination attacks started in May 2021.
A new malware campaign has been identified that uses Discord channels to spread a crypter known as “Babadeda” that can evade antivirus software and perform a range of attacks against cryptocurrency, non-fungible token (NFT) and DeFi enthusiasts.
The threat actor sent fake messages to potential users on Discord channels dedicated to blockchain-based games like Mines of Dalarnia, asking people to download a programme. If a users clicks on a link in the message, they will be taken to a phishing domain that looks like the game’s official website and contains a link to a Trojan installer that contains the Babadeda crypter.
The threat actor took extended measures to ensure that the delivery chain looks legitimate even to technical users. Typically:
- Cybersquatting – the domain names of the decoy sites look a lot like the domain names of the original sites Threat actors will usually remove/add a letter from/to the domain name or change the top-level domain.
- The domains are signed with a certificate (via LetsEncrypt), which enables an HTTPS connection.
- The UI of the decoy pages is very similar to the UI of the original pages.
- Upon clicking “Download APP”, the site will generally navigate to /downland.php, which will redirect the download request to a different domain (this makes it less likely that someone will detect a decoy site
Since one of the fake sites contained Russian language text, Morphisec linked the attacks to a threat actor from a Russian-speaking country. To date, 84 malicious domains have been found, all of which were formed between July 24, 2021, and November 17, 2021.
Finally the Researchers concluded that “Targeting bitcoin users through trusted attack channels provides its distributors with a rapidly rising pool of prospective victims, Because Babadeda masquerades as a known application with complex obfuscation once on a victim’s PC, anyone relying on signature-based malware has no way of knowing it’s there – or of stopping it from executing.”
Indicators Of Compromise