An unknown malware attack has been identified targeting cryptocurrency, non-fungible token (NFT), and Defi aficionados. The attack uses discord channels to plant a crypter named “Babadeda”, which can evade antivirus programs.
“This malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware,” Morphisec researchers said in a report published this week. The malware attack started in May 2021.
Crypters, a software, used by cybercriminals for encrypting, muddling and manipulating malicious code to pass off as harmless software; thereby, making it harder for antivirus to identify it.
Morphisec identified the attacks. The malware attacks entailed threat actors sending decoy messages to targets on Discord channels, and these channels were blockchain-based games like Mine of Dalarnia, egging them to download an application. If the victim clicks on a URL embedded within the message, the individual is directed to a phishing domain. The domain has a layout that resembles the game’s genuine website and has a link to a malicious installer containing the Babadeda crypter.
Once the installer is executed, the installer sets off a chain of infection sequences that decrypts and loads the encrypted payload, BitRat and Remcos, to obtain data.
“Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” the researchers said. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing.”