fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Discord Malware Campaign Targets Crypto and NFT Communities

Discord Malware Campaign Targets Crypto and NFT Communities

A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.

Babadeda is a crypter used to encrypt and obfuscate malicious payloads in what appear to be harmless application installers or programs.

Starting in May 2021, threat actors have been distributing remote access trojans obfuscated by Babadeda as a legitimate app on crypto-themed Discord channels.

Due to its complex obfuscation, it has a very low AV detection rate, and according to researchers at Morphisec, its infection rates are picking up speed.

Phishing on Discord

The delivery chain begins on public Discord channels enjoying large viewership from a crypto-focused audience, such as new NFT drops or cryptocurrency discussions.

The threat actors post on these channels or send private messages to prospective victims, inviting them to download a game or an app.

In some cases, the actors impersonate existing blockchain software projects like the “Mines of Dalarna” game.

Also Read: The 3 Main Benefits Of PDPA For Your Business

Phishing post on Discord
Phishing post on Discord
Source: Morphisec

If the user is tricked and clicks on the provided URL, they will end up on a decoy site that uses a cybersquatted domain that is easy to pass as the real one.

These domains use a valid LetsEncrypt certificate and support an HTTPS connection, making it even harder for careless users to spot the fraud.

Comparison between a fake and real site
Comparison between a fake and real site
Source: Morphisec

Other decoy sites used in this campaign are listed below:

Cloned sites created for malware distribution
Cloned sites created for malware distribution
Source: Morphisec

The Babadeda deception

The malware is downloaded upon clicking the “Play Now” or “Download app” buttons on the above sites, hiding in the form of DLLs and EXE files inside an archive that appears like any ordinary app folder at first glance.

If the user attempts to execute the installer, they will receive a fake error message to deceive the victim into thinking that nothing happened.

Also Read: What Do 4 Messaging Apps Get From You? Read The iOS Privacy App Labels

In the background, though, the execution of the malware continues, reading the steps from an XML file to execute new threads and load the DLL that will implement persistence.

This persistence is done through a new startup folder item and the writing of a new registry Run key, both starting crypter’s primary executable.

Babadeda execution flow
Babadeda execution flow
Source: Morphisec

“The executable .text section’s characteristics are configured to RWE (Read-Write-Execute) — that way the actor doesn’t need to use VirtualAlloc or VirtualProtect in order to copy the shellcode and transfer the execution.” – Morphisec

“This helps with evasion since those functions are highly monitored by security solutions. Once the shellcode is copied to the executable, the DLL calls to the shellcode’s entry point (shellcode_address).”

Babadeda has been used in past malware campaigns distributing info-stealers, RATs, and even the LockBit ransomware, but in this specific campaign, Morphisec observed the dropping of Remcos and BitRAT.

Remcos is a widely-abused remote surveillance software that enables attackers to take control of the infected machine and steal account credentials, browser cookies, drop more payloads, etc.

In this case, because the campaign targets members of the crypto community, it is assumed that they are after their wallets, cryptocurrency funds, and NFT assets.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us