The new Babadeda crypter has been found targeting the crypto, NFT, and DeFi communities by breaching Discord channels.
What's new?
Hackers, allegedly of Russian origin, are hiding their payloads in application installers or programs that may appear harmless to users.
- Hackers reportedly approach crypto-themed Discord channels or communities or send private messages to potential victims, urging them to download a game or an app.
- As observed in some cases, threat actors impersonated the action and adventure game Mines of Dalarna.
- The malware features a complex obfuscation technique that has low AV detection.
- Babadeda actors are known for dropping info-stealers, RATs, and even the LockBit ransomware. In the ongoing campaign, they are distributing Remcos and BitRAT.
Though Remcos is popularly abused by hackers for remote surveillance and stealing account credentials and browser cookies, researchers suggest that Babadeda is after crypto wallet and NFT assets this time.
How does the phishing attack work?
Hackers create a bot account of official companies on Discord.
- Users clicking on "Play Now" or "Download app" buttons are redirected to a decoy site on a cybersquatted domain.
- These domains have a valid LetsEncrypt certificate and support an HTTPS connection, making it even challenging for unsuspecting users to identify the fraud.
- Babadeda establishes persistence via a new startup folder and the writing of a new registry Run key; both are the crypter’s main executable.
- The further task is completed by the Decryption and Loader shellcodes.
How to help yourself in case of a theft?
If your crypto tokens were stolen, you should seek assistance from the customer service of your crypto exchange or wallet to take action to prevent a loss of tokens. Secondly, change your password right away. Chances of getting tokens back? Very less, even if you use public ledgers to trace the currency. Also, try developing a habit of storing cryptocurrency and coins in hardware wallets.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_25243135_MEDIUM.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_416365276.jpg)
