A new malware campaign has been discovered targeting cryptocurrency, non-fungible token (NFT), and DeFi aficionados through Discord channels to deploy a crypter named “Babadeda” that’s capable of bypassing antivirus solutions and stage a variety of attacks.
“[T]his malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware,” Morphisec researchers said in a report published this week. The malware distribution attacks are said to have commenced in May 2021.
Crypters are a type of software used by cybercriminals that can encrypt, obfuscate, and manipulate malicious code so as to appear seemingly innocuous and make it harder to detect by security programs — a holy grail for malware authors.
The infiltrations observed by Morphisec involved the threat actor sending decoy messages to prospective users on Discord channels related to blockchain-based games such as Mines of Dalarnia, urging them to download an application. Should a victim click a URL embedded within the message, the individual is directed to a phishing domain designed to resemble the game’s legitimate website and includes a link to a malicious installer containing the Babadeda crypter.
Morphisec attributed the attacks to a threat actor from a Russian-speaking country, owing to the Russian language text displayed on one of the decoy sites. As many as 84 malicious domains, created between July 24, 2021, and November 17, 2021, have been identified to date.
“Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” the researchers said. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing.”