Morphisec Lab researchers have uncovered a new malware campaign using a crypter, dubbed Babadeda, to target the crypto, NFT, and Defi communities.
The cyberattack with potential links to Russian actors, employs fake OpenSea, Bored Ape Yacht Club, and ZED RUN marketplace domains to target the cryptocurrency and NFT communities on group chat platform Discord.
Over the past years, many providers have reported variants of this crypter but Morphisec is the first to reveal how it is targeting the NFT community specifically. Due to the market value of more than $2.5 trillion, the cryptocurrency market is on the hit list of the attackers.
According to Morphisec researchers, the malware can evade signature-based antivirus solutions with RAT payloads which allow attackers to secure administrative control over a target’s computer.
“Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” stated Hido Cohen and Arnold Osipov, security researchers at Morphisec. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine – or of stopping it from executing.”
Attackers Methodology
Threat actor designs a Discord bot account on the official company Discord platform which allows them to impersonate the channel’s official account. Then, the hacker sends users a private message on Discord, inviting them to download a related application. In return, threat actors grant users access to new features and benefits which will redirect them to a decoy site. Then, it will download a malicious installer that embeds the Crypter with the RAT payload.
“Upon clicking ‘Download APP,’ the site will generally navigate to /downland.php, which will redirect the download request to a different domain (this makes it less likely that someone will detect a decoy site),” the researchers explained. “Interestingly, on one of these decoy sites, we noticed an HTML object written in Russian. This suggests that the threat actor’s origins may be in a Russian-speaking country since they most likely forgot to translate the HTML object from their native language into English.”
To bypass detection, the attackers tried to mask their malicious intentions by employing legitimate-looking applications. The domain names and user interface of the decoy sites were similar to the original, and the decoy sites also had a signed certificate, enabling an HTTPS connection. The researchers have spotted 82 domains designed between July 24, 2021, and November 17, 2021, used in this malicious campaign.
Unfortunately, scammers are not just targeting individual users but are also going after reputed organizations. Earlier this month, OpenSea’s security was examined after a white hat hacker discovered a critical bug. The vulnerability could have allowed hackers to design fake blue-chip NFTs and frenzy, resulting in the drainage of hundreds of millions.