To say that the cryptocurrency market, now valued at 2.5 trillion USD, has seen its fair share of scams would be an understatement. The latest to affect the cryptocurrency and Non-Fungible Token (NFT) community involves a threat actor targeting enthusiasts on the popular messaging platform Discord.
According to an article published by security firm Morphisec, Discord is being used to distribute crypter malware. Crypter malware can be seen as a specific type of malware that can encrypt, obfuscate, and manipulate malware, to make it harder to detect by security programs. They are typically used by threat actors to pass off malware as legitimate and non-harmful software applications. Crypters broadly come in two forms, static or polymorphic.
Static crypters make use of encryption stub data, simply a stub is a non-executable file used to decrypt the encrypted malware. The threat actor will create a unique stub for encryption, once security software can detect the crypter, a new stub can be created to start the cycle again.
Polymorphic crypters use state-of-the-art algorithms that utilize random variables, data, keys, and decoders to create unique encryption routines per file. As such, one input source file never produces an output file that is identical to the output of another source file.
The crypter used in the scam has been named Babadeda, a Russian language placeholder used by the crypter itself which translates to “Grandma-Grandpa”, and can evade detection by signature-based antivirus products. For victims using such security products, infection is highly-likely, according to security researchers.
Further, researchers also noted that crypter has been used to drop secondary malware payloads including information stealers, RATs, and even LockBit ransomware. The latest campaign, which was first detected in May 2021 and seems to primarily target the cryptocurrency and NFT communities. Researchers noted,
“Since May 2021, we have observed several malware distribution campaigns. However, many of the recent infections we have seen appear to be related to a sophisticated campaign that exclusively targets the Crypto, NFT, and DeFi communities. It is precisely for this reason, as well as the fact that NFTs are rising in popularity, that we have decided to take a look at this particular campaign distribution in more detail. For those who are not familiar with NFTs (Non-fungible tokens): the term refers to unique tokens that provide proof of ownership on data that is stored on the blockchain technology. In recent years, NFTs have exploded in popularity, and are now starting to enter the mainstream consciousness. Naturally, this growing trend in the crypto space has opened up a new vector for threat actors to exploit.”
With many crypto-related communities moving to Discord to share information, the platform has become a major target for scammers and now hackers looking to take advantage of the communities. The threat actor in this instance applied several phishing tactics by sending private messages to community members.
The message would include a link to download a crypto-related application that would grant the user access to new features and several additional benefits if it was a legitimate application that is. The threat actor created a Discord bot account on the official company discord channel which meant they were able to successfully impersonate the channel’s official account, adding the veneer of legitimacy a phishing campaign requires to lure in victims.
Once the community member clicks the link they’ll be redirected to a decoy website. On the website, the visitor will be prompted to downloader the apps installer which then installs the crypter along with the payload. The encrypted payloads include Remcos and BitRat, both popular remote access trojans (RATs) easily bought on underground hacker forums.
The website was closely designed to mimic another legitimate website for the Mines of Dalarnia, a legitimate crypto and NFT related app. To do this the threat actor used several tactics including:
- Cybersquatting. The domain names of the decoy sites look a lot like the domain names of the original sites Threat actors will usually remove or add a letter to the domain name or change the top-level domain, for example from .com to .net. This makes it harder for visitors to detect any malicious intent.
- The domains are signed with a certificate via LetsEncrypt, which enables an HTTPS connection adding legitimacy to the website.
- The UI of the decoy pages is very similar to the UI of the original pages.
- Upon clicking “Download APP”, the site will generally navigate to /downland.php, which will redirect the download request to a different domain making it far less likely that someone will detect that the page is fake and malicious.
The Morphisec article includes a wealth of technical information as well as indicators of compromise that are beyond the scope of this article which makes for interesting reading for those interested. Researchers concluded,
“As demonstrated above, Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims. Once on a victim's machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing."
For victims of this campaign, the threat actor took several steps to prevent detection, either by the victim through carefully crafted phishing campaigns and a convincing decoy website to the use of a crypter to hide the RAT payloads, meaning even the most tech-savvy could fall for the attack.
That being said many crypto scams rely on victims not doing their due diligence and researching either the cryptocurrency or NFT, like with everything else if the deal is too good to be true, it’s probably a scam.