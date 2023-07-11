Mexico City.- A new threat against digital cryptocurrency wallets is actively circulating in Europe, the United States and Latin America, alerted the cybersecurity firm Kaspersky.

It is a sophisticated malware called “DoubleFinger” with which it seeks to steal cryptocurrencies even from physical or hardware wallets, which are even more secure than common cryptocurrencies.

The GreetingGhoul stealer program is the highlight of this type of scam, as it has two components: the first is to detect if there are cryptocurrency digital wallet applications installed on the infected machine.

Once targets are detected, the second module creates screens that will overlay the wallet’s application window to steal credentials, recovery phrases, and digital asset keys, the firm explained.

“Research shows that the infection begins when the victim opens a malicious PIF file, included as an email attachment, which infects the computer with DoubleFinger.

“This loader takes care of the infection process, which is divided into five stages to evade detection by security products,” he said.

In addition to the GreetingGhoul thief, Kaspersky also found DoubleFinger samples that download the Remcos RAT, a commercial remote access program (RAT) that is commonly used by cybercriminals in targeted attacks against businesses and organizations.

In this case, the group uses this feature to bypass digital wallet applications that only work on pre-authorized computers, as attackers perform remote access to these authorized devices and commit fraud.

Kaspersky explained that the attack on crypto wallets operates in five stages and manages to steal even those stored in a hardware wallet, which in a way is a physical or disconnected wallet from the Internet, which makes them more secure than common digital wallets.

The scam uses the DoubleFinger loader to download malicious files onto the infected system, the GreetingGhoul cryptocurrency stealing program, and the Remcos remote access trojan (RAT) to control the compromised device, it added.

The analysis by Kaspersky experts highlights the high technical level of the attack and its multi-stage nature, making it similar to an Advanced Persistent Threat attack.

To keep crypto assets safe, Kaspersky recommended buying official products, checking for signs of tampering, always checking that the firmware in the hardware wallet is legitimate and up-to-date, as well as using a strong password.