New malicious software that targets crypto wallets - Kaspersky has discovered a new advanced multi-stage attack campaign targeting crypto wallets in Europe, the United States, and Latin America. The attack includes the DoubleFinger loader, a complex crimeware software that deploys the GreetingGhoul cryptocurrency stealer and the Remcos Remote Access Trojan (RAT). Kaspersky's analysis highlights the techniques and skill level of cybercriminals in this evolving threat landscape.

According to Kaspersky's research, the multi-stage loader, DoubleFinger, initiates its attack when the victim unintentionally opens a malicious attached PDF file in an email. This triggers the execution of the loader's first stage, a modified Windows DLL binary file, followed by the execution of a malicious shellcode. Subsequently, the shellcode downloads a PNG image containing a payload intended to be executed later in the attack.

Overall, DoubleFinger consists of five stages to create a scheduled task that executes the GreetingGhoul stealing program daily at a specific time. It then downloads another PNG file, decrypts it, and executes it. GreetingGhoul is a stealer designed to steal credentials related to cryptocurrencies and consists of two components: the first utilizes MS WebView2 to create overlays on cryptocurrency wallet interfaces, and the second is designed to detect cryptocurrency wallet applications and steal sensitive information such as keys, recovery phrases, and more.