A new malware campaign on Discord uses the crypto Babadeda to hide malware targeting the crypto, NFT and DeFi communities.
Babadeda is an encryptor used to encrypt and hide malicious payloads in what appears to be harmless programs or application installers.
As of May 2021, threat actors have been distributing remote access Trojans obfuscated by Babadeda as a legitimate application on crypto-themed Discord channels.
Due to its complex obfuscation, it has a very low AV detection rate and, according to researchers from Morphisec, their infection rates are accelerating.
Phishing on Discord
The delivery chain begins on public Discord channels that enjoy a large audience from a crypto-focused audience, such as new NFT drops or cryptocurrency discussions.
Threat actors post on these channels or send private messages to potential victims, inviting them to download a game or an application.
In some cases, actors pose as existing blockchain software projects such as the “Mines of Dalarna” game.
If the user is tricked into clicking on the provided URL, they will end up on a decoy site that uses a cybersquatted domain that is easy to pass for the real one.
These domains use a valid LetsEncrypt certificate and support an HTTPS connection, making it even more difficult for careless users to detect fraud.
Other lure sites used in this campaign are listed below:
Malware is downloaded by clicking the “Play Now” or “Download Application” buttons on the sites above, hiding itself in the form of DLL and EXE files within a file that looks like any normal application folder at first glance.
If the user tries to run the installer, they will receive a fake error message to fool the victim into believing that nothing happened.
However, in the background, the execution of the malware continues, reading the steps in an XML file to execute new threads and load the DLL that will implement persistence.
This persistence is done through a new home folder item and the writing of a new registry execution key, both by starting the main Crypter executable.
“The executable. The features of the text section are configured for RWE (read-write-execute); that way, the actor does not need to use VirtualAlloc or VirtualProtect to copy the shell code and transfer execution.” – Morphisec
“This helps with evasion since those functions are highly monitored by security solutions. Once the shell code is copied into the executable, the DLL calls the shell code entry point (shellcode_address).”
Babadeda has been used in past malware campaigns that distribute information thieves, RATs, and even LockBit ransomware, but in this specific campaign, Morphisec observed the downfall of Remcos and BitRAT.
In this case, because the campaign is targeting members of the crypto community, they are supposed to be after your wallets, cryptocurrency funds, and NFT assets.