A new sophisticated malware campaign has been identified, specifically targeting individuals within the cryptocurrency market. This attack employs a multi-stage process, starting with a malicious Zip file that contains a shortcut (.lnk) file. When executed, the shortcut initiates a PowerShell script download from a remote server, which then carries out further actions to compromise the victim’s system. The PowerShell script is obfuscated to avoid detection, enhancing the stealth of the attack.
The campaign notably uses legitimate tools like RDPWrapper and Tailscale to facilitate unauthorized access and control. RDPWrapper allows multiple Remote Desktop Protocol (RDP) sessions per user, circumventing the default single-session restriction in Windows. This enables attackers to maintain persistent access to compromised systems without detection. Tailscale is used to create a secure, private network connection, integrating the victim’s machine into the attacker’s network for remote command execution and data exfiltration.
Geographic and industry-specific targeting is evident in this campaign, with a particular focus on Indian cryptocurrency users. The attackers deploy a decoy PDF related to cryptocurrency futures trading on CoinDCX, an Indian exchange platform. Post-infection, the malware deploys a Go-based loader that performs anti-virtualization checks and downloads additional payloads, including GoDefender and potentially malicious drivers, to further control and evade detection.
To combat such advanced threats, proactive security measures are recommended. These include monitoring for base64-encoded PowerShell scripts, unauthorized software installations, and strengthening user access controls. Enhanced security configurations like improved User Account Control (UAC) settings and network segmentation are crucial to minimize the impact of potential compromises and protect sensitive systems from sophisticated cyber campaigns.