Crypters are a sort of malware encrypting, obfuscating, and manipulating software used by cybercriminals to make harmful code appear innocuous and harder to detect by security tools – a holy grail for malware creators.
In a report released this week, Morphisec researchers noted that “this malware installer has been utilised in a number of recent campaigns to deploy information stealers, RATs, and even LockBit ransomware.” According to reports, the malware dissemination attacks began in May 2021.
The infiltrations observed by Morphisec involved the threat actor sending decoy messages to prospective users on Discord channels related to blockchain-based games such as Mines of Dalarnia, urging them to download an application. Should a victim click a URL embedded within the message, the individual is directed to a phishing domain designed to resemble the game’s legitimate website and includes a link to a malicious installer containing the Babadeda crypter.
Morphisec attributed the attacks to a threat actor from a Russian-speaking country, owing to the Russian language text displayed on one of the decoy sites. As many as 84 malicious domains, created between July 24, 2021, and November 17, 2021, have been identified to date.
Upon execution, the installer triggers an infection sequence that decodes and loads the encrypted payload, in this case BitRAT and Remcos, to harvest valuable information.
“Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims,” the researchers said. “Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing.”
A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.
Babadeda is a crypter used to encrypt and obfuscate malicious payloads in what appear to be harmless application installers or programs.
Starting in May 2021, threat actors have been distributing remote access trojans obfuscated by Babadeda as a legitimate app on crypto-themed Discord channels. Due to its complex obfuscation, it has a very low AV detection rate, and according to researchers at Morphisec, its infection rates are picking up speed.
The delivery chain begins on public Discord channels enjoying large viewership from a crypto-focused audience, such as new NFT drops or cryptocurrency discussions. The threat actors post on these channels or send private messages to prospective victims, inviting them to download a game or an app.
In some cases, the actors impersonate existing blockchain software projects like the “Mines of Dalarna” game.