26 November 2021

New malware campaign targets crypto, NFT and DeFi communities via Discord


New malware campaign targets crypto, NFT and DeFi communities via Discord

Security researchers have shed light on a new campaign on Discord that uses a crypter named ‘Babadeda’ to hide malware that targets crypto, NFT and DeFi communities.

This crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing information stealers, RATs, and LockBit ransomware.

According to Morphisec researchers, threat actors have been distributing remote access trojans, such as Remcos and BitRAT, obfuscated by Babadeda on publicly accessible NFT and crypto-themed Discord channels since May 2021.

One of the recent campaigns observed by Morphisec, involved the malicious actor sending private messages to users of popular Discord channels focused on NFT or cryptocurrency inviting them to download a game or an app.

In one instance, the threat actor targeted users of “Mines of Dalarna”, a PC game built on the blockchain, with phishing messages. If a user is tricked and clicks on a link within the message, they will be redirected to a decoy website serving a malicious installer that embeds the crypter with the payload. These decoy domains use a valid LetsEncrypt certificate and support an HTTPS connection, which makes it harder to notice something is wrong with the site.

“Interestingly, on one of these decoy sites, we noticed an HTML object written in Russian. This suggests that the threat actor's origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English,” the researchers said.

The research team said they identified at least 82 decoy domains created between July 24, 2021, and November 17, 2021.

Once downloaded and executed, Babadeda copies its compressed files into a newly created folder in ‘C:\Users\<user>\AppData\Roaming\’ or ‘C:\Users\<user>\AppData\Local\’ directory paths and starts execution via the main executable. Some cryptor’s variants display a fake error message. While the researchers are not sure what the real purpose of this message is, they say it might be used as a security solutions evasion technique or to deceive the user into thinking that the application has failed to execute, when in reality it silently continues the malicious execution in the background.

“Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims. Once on a victim's machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing,” the researchers concluded.

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021