Search This Blog

Powered by Blogger.

Blog Archive

Labels

Scammers Use Babadeda Crypter to Target Crypto, NFT, AND Defi Communities

The malware bypasses signature-based antivirus solution which allow attackers to secure control over a target’s computer.

 

Morphisec Lab researchers have uncovered a new malware campaign using a crypter, dubbed Babadeda, to target the crypto, NFT, and Defi communities. 

The cyberattack with potential links to Russian actors, employs fake OpenSea, Bored Ape Yacht Club, and ZED RUN marketplace domains to target the cryptocurrency and NFT communities on group chat platform Discord.

Over the past years, many providers have reported variants of this crypter but Morphisec is the first to reveal how it is targeting the NFT community specifically. Due to the market value of more than $2.5 trillion, the cryptocurrency market is on the hit list of the attackers. 

According to Morphisec researchers, the malware can evade signature-based antivirus solutions with RAT payloads which allow attackers to secure administrative control over a target’s computer.

“Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” stated Hido Cohen and Arnold Osipov, security researchers at Morphisec. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine – or of stopping it from executing.”

Attackers Methodology

Threat actor designs a Discord bot account on the official company Discord platform which allows them to impersonate the channel’s official account. Then, the hacker sends users a private message on Discord, inviting them to download a related application. In return, threat actors grant users access to new features and benefits which will redirect them to a decoy site. Then, it will download a malicious installer that embeds the Crypter with the RAT payload.

“Upon clicking ‘Download APP,’ the site will generally navigate to /downland.php, which will redirect the download request to a different domain (this makes it less likely that someone will detect a decoy site),” the researchers explained. “Interestingly, on one of these decoy sites, we noticed an HTML object written in Russian. This suggests that the threat actor’s origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English.”

To bypass detection, the attackers tried to mask their malicious intentions by employing legitimate-looking applications. The domain names and user interface of the decoy sites were similar to the original, and the decoy sites also had a signed certificate, enabling an HTTPS connection. The researchers have spotted 82 domains designed between July 24, 2021, and November 17, 2021, used in this malicious campaign.

Unfortunately, scammers are not just targeting individual users but are also going after reputed organizations. Earlier this month, OpenSea’s security was examined after a white hat hacker discovered a critical bug. The vulnerability could have allowed hackers to design fake blue-chip NFTs and frenzy, resulting in the drainage of hundreds of millions.
Share it:

Cyber Fraud

Discord Hack

Malware Campaign

Scamming Tool