Discord malware campaign targets crypto and NFT communities – BleepingComputer

BitcoinMorphisec, its infection rates are picking up speed.

Phishing on Discord

The delivery chain begins on public Discord channels enjoying large viewership from a crypto-focused audience, such as new NFT drops or cryptocurrency discussions.

The threat actors post on these channels or send private messages to prospective victims, inviting them to download a game or an app.

In some cases, the actors impersonate existing blockchain software projects like the “Mines of Dalarna” game.

Phishing post on Discord
Cloned sites created for malware distribution

Source: Morphisec

The Babadeda deception

The malware is downloaded upon clicking the “Play Now” or “Download app” buttons on the above sites, hiding in the form of DLLs and EXE files inside an archive that appears like any ordinary app folder at first glance.

If the user attempts to execute the installer, they will receive a fake error message to deceive the victim into thinking that nothing happened.

In the background, though, the execution of the malware continues, reading the steps from an XML file to execute new threads and load the DLL that will implement persistence.

This persistence is done through a new startup folder item and the writing of a new registry Run key, both starting crypter’s primary executable.

Babadeda execution flow
Babadeda execution flow

Source: Morphisec

“The executable .text section’s characteristics are configured to RWE (Read-Write-Execute) — that way the actor doesn’t need to use VirtualAlloc or VirtualProtect in order to copy the shellcode and transfer the execution.” – Morphisec

“This helps with evasion since those functions are highly monitored by security solutions. Once the shellcode is copied to the executable, the DLL calls to the shellcode’s entry point (shellcode_address).”

Babadeda has been used in past malware campaigns distributing info-stealers, RATs, and even the LockBit ransomware, but in this specific campaign, Morphisec observed the dropping of Remcos and BitRAT.

Remcos is a widely-abused remote surveillance software that enables attackers to take control of the infected machine and steal account credentials, browser cookies, drop more payloads, etc.

In this case, because the campaign targets members of the crypto community, it is assumed that they are after their wallets, cryptocurrency funds, and NFT assets.

For more aggregated news content sign up for our notification email – a concise summary of all new and breaking NFT news in your own mailbox. 


Share on facebook
Share on twitter
Share on linkedin