Security researchers have shed light on a new campaign on Discord that uses a crypter named ‘Babadeda’ to hide malware that targets crypto, NFT and DeFi communities.
This crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing information stealers, RATs, and LockBit ransomware.
According to Morphisec researchers, threat actors have been distributing remote access trojans, such as Remcos and BitRAT, obfuscated by Babadeda on publicly accessible NFT and crypto-themed Discord channels since May 2021.
One of the recent campaigns observed by Morphisec, involved the malicious actor sending private messages to users of popular Discord channels focused on NFT or cryptocurrency inviting them to download a game or an app.
In one instance, the threat actor targeted users of “Mines of Dalarna”, a PC game built on the blockchain, with phishing messages. If a user is tricked and clicks on a link within the message, they will be redirected to a decoy website serving a malicious installer that embeds the crypter with the payload. These decoy domains use a valid LetsEncrypt certificate and support an HTTPS connection, which makes it harder to notice something is wrong with the site.
“Interestingly, on one of these decoy sites, we noticed an HTML object written in Russian. This suggests that the threat actor's origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English,” the researchers said.
The research team said they identified at least 82 decoy domains created between July 24, 2021, and November 17, 2021.
Once downloaded and executed, Babadeda copies its compressed files into a newly created folder in ‘C:\Users\<user>\AppData\Roaming\’ or ‘C:\Users\<user>\AppData\Local\’ directory paths and starts execution via the main executable. Some cryptor’s variants display a fake error message. While the researchers are not sure what the real purpose of this message is, they say it might be used as a security solutions evasion technique or to deceive the user into thinking that the application has failed to execute, when in reality it silently continues the malicious execution in the background.
“Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims. Once on a victim's machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing,” the researchers concluded.