Discord users have been targeted with a new malware campaign that primarily uses the Babadeda crypter to hide malware.
Babadeda is a crypter used to encrypt and disguise malicious payloads and disguise them as harmless applications or installers.
Since May of this year, threat actors have been busy distributing remote Trojans disguised by Babadeda, posing as legitimate apps on crypto-themed Discord channels.
Its complex disguise gives it a very low AV detection rate, and according to Morphisec researchers, its infection rate is increasing day by day.
The delivery chain begins on public Discord channels with large audiences from a crypto-focused audience, such as NFT and cryptocurrency discussions. Attackers interact on these channels and send private messages to potential victims, inviting them to download a game or app.
There have even been cases where the threat has come from actors running existing blockchain software projects such as the game “Mines of Dalarna.”
When the user clicks on the specified URL, they are taken to a decoy site that operates a cyberdomain that is so easily passed on to the legitimate domain. These domains use a valid LetsEncrypt certificate and support an HTTPS connection, making the scheme even more credible.
The malware is downloaded when you click on the “Play Now” or “Download app” buttons on the aforementioned pages and mask themselves in the form of DLLs and EXE files within an archive that at first glance looks like any normal app folder.
As soon as the victim tries to run the installer, they receive a fake error message that leads them to believe that nothing has happened. In the background, the malware continues to run.
Babadeda has been used in past malware campaigns to spread infotainment stealers, RATs as well as LockBit ransomware.
The attackers are believed to have targeted the victims’ cryptocurrency wallets, cryptocurrency funds and NFT assets.