DoubleFinger delivers GreetingGhoul cryptocurrency stealer
DoubleFinger delivers GreetingGhoul cryptocurrency stealer
Kaspersky researchers share insight into multistage DoubleFinger loader attack delivering GreetingGhoul cryptocurrency stealer and Remcos RAT.
This new stealer has five stages, and shows a high level of sophistication, akin to APTs. Targeted victims have been seen in Europe, the USA, and Latin America.
Several pieces of Russian text were found in the malware.
The first part of the C2 URL is “Privetsvoyu” which is a misspelled transliteration of the Russian word for “Greetings.” Secondly, we found the string “salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu.” Despite the weird transliteration, it roughly translates to: “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our area of interest.”
MD5 sum and C2 URL IOCs are included at the end of the report.