A novel multi-stage loader called
DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what's an advanced attack targeting users in Europe, the U.S., and Latin America.
"DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages," Kaspersky researcher Sergey Lozhkin
said in a Monday report.
The starting point of the attacks is a modified version of
espexe.exe – which refers to Microsoft Windows Economical Service Provider application – that's engineered to execute shellcode responsible for retrieving a PNG image file from the image hosting service Imgur.
The image employs steganographic trickery to conceal an encrypted payload that triggers a four-stage compromise chain which eventually culminates in the execution of the GreetingGhoul stealer on the infected host.
A notable aspect of GreetingGhoul is its use of
Microsoft Edge WebView2 to create counterfeit overlays on top of legitimate cryptocurrency wallets to withdraw funds from unsuspecting users. Another component residing within the malware captures private keys and seed phrases.
