Introduction
Stealing cryptocurrencies is nothing new. For example, the Mt. Gox exchange was robbed of many bitcoins back in the beginning of 2010s. Attackers such as those behind the Coinvault ransomware were after your Bitcoin wallets, too. Since then, stealing cryptocurrencies has continued to occupy cybercriminals.
One of the latest additions to this phenomenon is the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.
DoubleFinger stage 1
The first stage is a modified “espexe.exe” (MS Windows Economical Service Provider Application) binary, where the DialogFunc is patched so that a malicious shellcode is executed. After resolving API functions by hash, which were added to DialogFunc, the shellcode downloads a PNG image from Imgur.com. Next, the shellcode searches for the magic bytes (0xea79a5c6) in the downloaded image, locating the encrypted payload within the image.
Real DialogFunc function (left) and patched function with shellcode (right)
The encrypted payload consists of:
A PNG with the fourth-stage payload;
An encrypted data blob;
A legitimate java.exe binary, used for DLL sideloading;
The DoubleFinger stage 2 loader.
DoubleFinger stage 2
The second-stage shellcode is loaded by executing the legitimate Java binary located in the same directory as the st ..
Support the originator by clicking the read the rest link below.
