The ever-growing market value of cryptocurrency, now estimated at over $2.5 trillion, has been attracting cybercriminals over the years. The digital currency has been of great help in monetizing ransom payments, but has many more other sides that are lucrative to cybercrime.
What Is Babadeda Crypter Malware?
One of the current trends in the crypto world, the so-called NFT (non-fungible tokens), has also attracted criminal minds. Morphisec Labs researchers recently discovered a new malware campaign “targeting cryptocurrency enthusiasts through Discord.”
The new crypter malware has been dubbed Babadeda crypter, after a Russian-language placeholder the malware uses, translating to Grandma – Grandpa.
So, what is Babadeda crypter malware capable of? For starters, it can bypass signature-based antivirus solutions, making its infections highly dangerous to crypto users. Furthermore, crypters are used by cybercriminals to encrypt, obfuscate, and manipulate malicious code, in a way for it to appear bland. Crypters can be used in a variety of malicious operations.
The researchers are aware that the crypter’s malware installer has been “used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware.” As for the active campaigns, such have been observed since May 2021. However, it should be noted that most of the recent infections are related to a sophisticated campaign exclusively targeting the crypto, NFT, and DeDi communities. Due to the rising popularity of NFT, the research team decided to have a deeper look into the campaign.
What is NFT? The so-called non-fungible tokens are unique tokens meant to provide proof of ownership on data stored on the blockchain. NFTs represent one of the rising trends that are taking over “the mainstream consciousness,” as the researchers put it.
Since most crypto communities rely heavily on Discord channels, it is no surprise that cybercriminals are taking advantage of Discord’s features in order to perform phishing against users. In this particular campaign, the threat actor sent users a private message inviting them to download a related application that would supposedly grant access to new features and/or additional benefits. One of the phishing messages the report shows is related to a game built on the blockchain – Mines of Dalarna.
On one of the “decoy sites” observed in the campaign, the research team noticed an HTML object written in Russian, meaning that the threat actors are most likely of Russian origin.
More details about the campaign are available in the original report.
In May 2021, security researchers disclosed information about a new cryptocurrency stealer. Called Panda Stealer, the malware has been distributed via spam emails mostly in the US, Australia, Japan, and Germany. Trend Micro’s research showed that the malware also leveraged fileless techniques to bypass detection mechanisms.