Threat Database Malware Babadeda Crypter

Babadeda Crypter

The cryptocurrency market has exploded to a valuation of more than $2.5 trillion. However, the success comes with the consequences of becoming a prime target for cybercriminals who are creating malware threats tailored to exploit the Crypto, NFT (non-fungible tokens), and DeFi (decentralized finance) communities specifically. One such threat named Babadeda Crypter was analyzed in a report released by security analysts.

The threat is being distributed via Discord servers and is used as an initial-stage malware responsible for deploying threatening payloads - RATs (Remote Access Trojans), infostealers, or ransomware threats such as LockBit. Certain elements found in the analysis point towards the creators of the Babadeda Crypter being Russian-speaking individuals.

Initial Attack Vector

The threat actor infiltrates legitimate Discord servers, such as the one for the PC game Mines of Dalarna as mentioned in the Morphisec Labs report, and starts disseminating phishing private messages to other users. In some of the observed lure messages, the hackers pretend as if the link they provide will allow the targeted user to access additional features or benefits. However, the corrupted links lead to a dedicated decoy site.

The attackers put great effort to make their fake sites as similar to the originals as possible. They make sure that the domain names of the fake site resemble the legitimate one with just a letter off. The domains are signed with a certificate to enable HTTPS connection. Then, the graphical design of the page is created to mimic the original one. In addition, they use redirects to hide the fact that clicking the 'Download APP' button leads to a suspicious destination.

Extensive Evasion Techniques

The hackers made sure that the Babadeda Crypter is equipped with numerous detection-evasion techniques. As a result, the threat can easily bypass any signature-based security solutions. On multiple stages, the corrupted code of the threat is interspersed among code of legitimate applications to mask its nefarious intentions.

Even the files of the threat are scattered among legitimate-looking files. First, the Babadeda Crypter copies its compressed files to a newly-generated folder that is given a legitimate-sounding name. The folder will be placed in one of the following locations:

C:UsersAppDataRoaming

C:UsersAppDataLocal

Numerous other files taken from open-source or free applications will be dropped in the same folder. Without taking the time to inspect the folder in detail, many users may mistakenly think that it belongs to a safe application.

Certain variants of Babadeda Crypter also employ a decoy error message that is displayed to the user upon the threat's execution. This fake message may act as an evasion technique or it can simply serve as a distraction hiding the harmful activities of the threat taking place in the background of the system.

Babadeda is an extremely threatening encryptor that can deliver potent unsafe payloads to the victim's systems. It masquerades as a legitimate application and uses multiple layers of complex obfuscation to avoid detection. Users must always be on their guard and should approach any message from suspicious-sounding offers from sources with caution.

Trending

Most Viewed

Loading...