Threat actors have been using the new DoubleFinger multi-stage loader to facilitate the deployment of the GreetingGhoul cryptocurrency stealer in attacks targeted at U.S., Latin American, and European users, The Hacker News reports.
Initial DoubleFinger loader stages are executed through the opening of malicious PIF attachment in phishing emails, with an altered Microsoft Windows Economical Service Provider app used to fetch a malicious PNG file consisting of an encrypted payload that prompts GreetingGhoul stealer execution through a four-stage compromise chain, a Kaspersky report revealed.
Aside from exfiltrating cryptocurrency assets, GreetingGhoul also takes aim at stealing users' credentials with Microsoft Edge WebView2. Meanwhile, DoubleFinger was also discovered to enable Remcos RAT distribution, with Kaspersky researcher Sergey Lozhkin noting that both DoubleFinger and GreetingGhoul exhibit sophistication similar to advanced persistent threat operations.
"The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of process doppelgnging for injection into remote processes all point to well-crafted and complex crimeware," said Lozhkin.