Kaspersky, a renowned cybersecurity company, has identified a new scam campaign aimed at stealing cryptocurrency digital wallets in countries in Latin America, Europe and the United States. Actors are able to hack even wallets that do not have an internet connection, known as hardware wallets.
As cybersecurity researchers explain, criminals use three programs to steal crypto assets: DoubleFinger, which downloads malicious files to the device; GreetingGhoul, which steals the victim’s credentials; and Remcos, a remote access trojan that allows control of the infected platform.
The scam starts with a phishing scheme, tricking victims into downloading an executable file with a “.pif” extension, sent by the criminals in a deceptive email message. When opened, this program infects the device with DoubleFinger, which has action divided into five stages that make it difficult to detect.
In the first two stages, the malware downloads a PNG image file and a file belonging to Java. The files are not malicious when separated, so a computer with antivirus might not see them as a threat.
The third step is where the scam starts to take shape. Using the steganography technique, that is, reading information hidden in an image, the malware joins the codes of the files downloaded in the previous steps.
Later, the malware starts a process in the computer’s memory — a technique known as fileless (“no file”, in free translation), since it leaves no stored traces that can be easily detected. At this time, the malware makes a copy of the process and adds the malicious codes.
Finally, the malware downloads the GreetingGhoul program “disguised” as a PNG image. The process then changes the file extension to “.exe”, allowing it to be executed and ending the invasion on the targeted device.
In some cases, Kaspersky discovered waves of attacks that also downloaded Remcos. In these cases, criminals bypass the security of digital wallet applications running on authorized computers, as the malware provides remote access to the victim’s computer and allows hackers to carry out fraud.
Malicious codes are also capable of infecting hardware wallets, digital wallets based on physical media connected to the PC via USB. This method of storing cryptocurrencies is considered more secure, as it is never directly connected to the internet and is less exposed to the risk of scams.
Through malware, criminals use fake messages displayed on the computer screen to persuade victims to enter their hardware wallets on the device infected by DoubleFinger. See an example:
A report released by Kaspersky shows that cryptocurrency theft has grown in proportion to its popularity among investors. The company reiterates the importance of following security recommendations to protect digital assets.
Cryptocurrency investors are advised to purchase only hardware wallets from official and reliable sources, such as the manufacturer’s website or authorized resellers. Also, it is always important to exercise caution when downloading files from email messages and untrustworthy internet sites to avoid phishing scams.
