Threat Research

DoubleFinger delivers GreetingGhoul cryptocurrency stealer

Securonix

DoubleFinger is a multi-stage loader that delivers GreetingGhoul, a cryptocurrency stealer, through a malicious PIF email attachment and uses steganography, DLL sideloading, and Process Doppelgänging to run increasingly complex payloads. The campaign targets cryptocurrency wallets with WebView2 overlays and has shown connections to Remcos RAT in some samples, with victims across Europe, the USA, and Latin America. #DoubleFinger #GreetingGhoul #Remcos #ProcessDoppelgaenging #DLLSideLoading #WebView2 #PNGSteganography

Keypoints

  • DoubleFinger is a multi-stage crimeware loader delivering the GreetingGhoul cryptocurrency stealer.
  • Stage 1 patches a DialogFunc in espexe.exe to run shellcode, downloads a PNG from Imgur, and locates the encrypted payload inside the image using specific magic bytes.
  • Stage 2 loads via a legitimate Java binary in the same directory (msvcr100.dll) and continues to the third stage, acting as a DLL sideloading proxy.
  • Stage 3 uses low-level Windows APIs and maps ntdll.dll to bypass security hooks, decrypting and executing the fourth-stage payload embedded in the PNG.
  • Stage 4 employs Process Doppelgänging to execute the fifth stage, which then creates a scheduled task to run GreetingGhoul daily and loads the final payload from a disguised PNG.
  • GreetingGhoul features WebView2 overlays to mimic wallet interfaces and steal wallet data; Remcos RAT has also been observed in related samples; victims span Europe, the USA, and Latin America.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Initial access via a malicious PIF attachment in an email message. “the victim opens a malicious PIF attachment in an email message.”
  • [T1055] Process Injection – Patch DialogFunc to execute a malicious shellcode. “the DialogFunc is patched so that a malicious shellcode is executed.”
  • [T1105] Ingress Tool Transfer – Download of a PNG image from Imgur.com to fetch payload. “downloads a PNG image from Imgur.com.”
  • [T1027] Steganography – Embedded payload within the PNG image retrieved by the loader. “the encrypted payload within the image.”‘
  • [T1574.001] DLL Side-Loading – Stage 2 uses a legitimate Java binary and DLL sideloading to load subsequent payloads. “the legitimate Java binary located in the same directory … a legitimate patched binary, having similar structure and functionality as the first stage.”
  • [T1055.012] Process Doppelgänging – Stage 4 uses this technique to execute stage 5. “uses Process Doppelgänging to execute it.”
  • [T1053.005] Scheduled Task – Stage 5 creates a scheduled task to run GreetingGhoul daily. “a scheduled task that executes the GreetingGhoul stealer every day at a specific time.”

Indicators of Compromise

  • [MD5 Hash] DoubleFinger indicators – a500d9518bfe0b0d1c7f77343cac68d8, dbd0cf87c085150eb0e4a40539390a9a (DoubleFinger MD5 hashes)
  • [MD5 Hash] GreetingGhoul indicators – 642f192372a4bd4fb3bfa5bae4f8644c, a9a5f529bf530d0425e6f04cbe508f1e (GreetingGhoul MD5 hashes)
  • [Domain] C2 – cryptohedgefund[.]us

Read more: https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint