Double trouble: crypto-stealing DoubleFinger

We explain how the advanced malware DoubleFinger downloads GreetingGhoul, a stealer that preys on cryptocurrency wallets.

How DoubleFinger malware steals crypto

Cryptocurrencies are under attack from all sorts of criminal schemes — from mundane Bitcoin mining scams to grandiose cryptocurrency heists worth hundreds of millions of dollars.

For cryptocurrency owners, dangers lurk at literally every turn. Just recently we talked about fake cryptowallets — which look and work just like real ones but eventually steal all your money. Now our experts have discovered a brand new threat: a sophisticated attack using the DoubleFinger loader, which brings along its friends in the shape of the cryptostealer GreetingGhoul and the remote-access Trojan Remcos. But first things first..

How DoubleFinger installs GreetingGhoul

Our experts noted the high technical level of the attack and its multistage nature, by which it resembles an advanced persistent threat (APT) attack. A DoubleFinger infection starts with an email containing a malicious PIF file. Once the recipient opens the attachment, a chain of events begins, as follows:

Stage 1. DoubleFinger executes a shellcode that downloads a file in PNG format from the image-sharing platform Imgur.com. But it’s not really an image at all: the file contains multiple DoubleFinger components in encrypted form, which are used in subsequent stages of the attack. These include a loader for use in the second stage of the attack, a legitimate java.exe file, and another PNG file to be deployed later, at the fourth stage.

Stage 2. The DoubleFinger second-stage loader is run using the above-mentioned legitimate java.exe file, after which it executes another shellcode that downloads, decrypts and launches the third stage of DoubleFinger.

Stage 3. At this stage, DoubleFinger performs a series of actions to bypass security software installed on the computer. Next, the loader decrypts and launches the fourth stage, which is contained in the PNG file mentioned in the first stage. Incidentally, this PNG file contains not only the malicious code but also the image that lent the malware its name:

The PNG file used by DoubleFinger with the fourth-stage malicious code

The two fingers from which DoubleFinger got its name. (Note: some languages define a thumb as a finger, unlike in English)

Stage 4. At this step, DoubleFinger launches the fifth stage using a technique called Process Doppelgänging, whereby it replaces the legitimate process with a modified one that contains the fifth-stage payload.

Stage 5. After all the above manipulations, DoubleFinger gets down to doing what it was designed for: loading and decrypting yet another PNG file — this one containing the final payload. This is the GreetingGhoul cryptostealer, which installs itself in the system and is scheduled in Task Scheduler to run daily at a certain time.

How GreetingGhoul steals cryptowallets

Once the DoubleFinger loader has done its job, GreetingGhoul comes directly into play. This malware contains two complementary components:

  1. one that detects cryptowallet applications in the system and steals data of interest to the attackers (private keys and seed phrases);
  2. one that overlays the interface of cryptocurrency applications and intercepts user input.
GreetingGhoul overrides the interface of cryptocurrency applications

Example of GreetingGhoul overlaying the interface of cryptowallet applications

As a result, the cybercriminals behind DoubleFinger are able to take control of the victim’s cryptowallets and withdraw funds from them.

Our experts found several DoubleFinger modifications, some of which — the icing on the cake — install the quite common (in cybercriminal circles) remote access Trojan Remcos in the infected system. Its intended purpose is right there in the name — REMote COntrol & Surveillance. In other words, Remcos allows cybercriminals to observe all user actions and seize full control of the infected system.

How to protect your cryptowallets

Cryptocurrencies continue to be a magnet for cybercriminals, so all cryptoinvestors need to think hard about security. Speaking of which, we recommend reading our recent post Protecting crypto investments: four key steps to safety. Meanwhile, here’s a summary of its key points:

  • Expect scams. The cryptocurrency world is full of scammers of every stripe, so constantly scan the horizon for booby traps, and always check and double-check everything meticulously.
  • Don’t put all your eggs in one basket. Use a combination of hot wallets (for current transactions) and cold wallets (for long-term investments).
  • Learn how cybercriminals can attack cold crypto wallets.
  • Purchase from official sources: only buy hardware wallets from official and trusted sources, such as the manufacturer’s website or authorized resellers; this is to avoid buying a fake crypto wallet.
  • Check for signs of tampering: before using a new hardware wallet, inspect it for any signs of tampering, such as scratches, glue, or mismatched components.
  • Verify the firmware: always verify that the firmware on the hardware wallet is legitimate and up-to-date. This can be done by checking the manufacturer’s website for the latest version.
  • Never fill your recovery seed for a hardware wallet on a computer. A hardware wallet vendor will never you ask for that.
  • Protect passwords, keys and seed phrases. Use strong and unique passwords, store them securely, and, of course, never give your private keys or seed phrases to anyone under any circumstances.
  • Protect yourself. Be sure to install reliable protection on all devices you use for managing cryptowallets.

Tips