Hackers Steal Cryptocurrencies Using DoubleFinger Malware Via Weaponized PIF Attachment

Stealing cryptocurrencies is a joint event, and a recent addition to this trend is the DoubleFinger loader, which is mainly designed to steal cryptocurrency through multiple stages.

This recent addition, the DoubleFinger loader, is identified by the security researchers at Securelist.

The first stage of DoubleFinger’s loading process begins when the victim opens a harmful PIF attachment in an email, causing DoubleFinger to be deployed on the targeted machine.

In this case, Companies like Trustifi stop advanced email threats That target Your business email with AI-Powered Email Security.

DoubleFinger Stage Analysis

Here below, we have mentioned all the DoubleFinger stages:-

  • DoubleFinger stage 1 
  • DoubleFinger stage 2
  • DoubleFinger stage 3
  • DoubleFinger stage 4
  • DoubleFinger stage 5

The “espexe.exe” binary undergoes several modifications during the initial stage, and the DialogFunc is specifically patched to execute a malicious shellcode. 

A PNG image from Imgur.com is downloaded via shellcode after identifying the API functions added to DialogFunc using their hash values.

The aa.png file with embedded Stage 4

The image contains an encrypted payload which includes:-

  • A PNG with the fourth-stage payload
  • An encrypted data blob
  • A legitimate java.exe binary
  • The DoubleFinger stage 2 loader

Execution of the Java binary file named msvcr100.dll, found in the same directory as the stage 2 loader shellcode, is performed to load the second-stage shellcode.

The third-stage shellcode exhibits significant distinctions compared to the first and second stages.

To bypass the hooks set by security solutions, the process memory loads and maps ntdll.dll by using low-level Windows API calls.

Following that, the decrypted fourth-stage payload found in the PNG file is executed as the next step. Since the data is retrieved from specific locations, it shows that the steganography method used is quite essential.

The first action is to identify the fifth stage within itself and then execute it using the Process “Doppelgänging” technique.

To run the GreetingGhoul stealer regularly, the fifth stage creates a scheduled task that activates it at a specific time every day.

Many cybercriminals frequently rely on Remcos, a well-known commercial Remote Access Trojan (RAT).

Victims & Attribution

Within the malware, security experts at Securelist came across numerous sections of text written in Russian.

Here below, we have mentioned the identified traces:-

  • A misspelled transliteration of the Russian word for “Greetings” in the initial portion of the C2 URL.
  • A string “salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu,” which states, “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our area of interest.”

While apart from this, the victims that are mainly targeted are from:-

  • Europe
  • The USA
  • Latin America

With their advanced sophistication and skill in creating crimeware, the DoubleFinger loader and GreetingGhoul malware can be likened to APTs.

Looking For an All-in-One Multi-OS Patch Management Platform – 

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.