With examples changing hands for up to $69 million, hosting digital content on blockchain and selling it to investors has become one of the most lucrative things creators can do. And as rock stars, international artists, and even politicians keep "minting" non-fungible tokens (NFTs) and investors keep rushing in to buy them, the NFT space has undergone exponential growth.
As of January this year, the NFT market is worth at least $4 billion — up from around $250 million in 2020 (the year when NFTs first came to public attention). This means that regardless of whether you think NFTs are just "expensive jpegs" or a future-focused investment, interest in NFTs is rocketing and likely to keep growing, with some forecasts putting the NFT market at $80 billion by 2025.
Unfortunately, threat actors have not missed this growth, and malicious activity within the NFT investment space is surging. Using investor interest in NFTs and cryptocurrency as an entry point for phishing attacks, cybercriminals are increasingly deploying credential-stealing malware to hijack crypto accounts and steal cryptocurrencies and other digital assets.
Last year, Morphisec’s Research Team encountered and fully disclosed the inner workings behind the Babadeda Crypter, a dynamic new threat aimed at blockchain investors on the Discord app. Since then, we have gone beyond the Babadeda Crypter to uncover the motivations, infrastructure, and activities of one of the most dangerous and fast-developing threat actor campaigns targeting this sector - and how to stop them with Moving Target Defense.
Our new report, “Journey of a Crypto Scammer - NFT-001”, covers these findings in detail. Here is a snapshot of what we discovered.
Harder for Users to Spot
The evolved crypters observed by Morphisec in the new campaign continue to be delivered through malicious Discord bots operating within NFT and crypto communities. These bots direct users to decoy websites where they are prompted to download malicious desktop applications.
While this methodology hasn't changed since our discovery of the BABADEDA Crypter in 2021, message bots have developed advanced phishing capabilities in the latest iterations of its attack chain.
The variety of sites and applications being used as decoys has also grown, with more communities being targeted. To make malware delivery easier, attackers are now also leveraging distributed application architecture to centralize delivery.
Impossible for Signature-Based AV to Detect
Besides deployment, the execution process of these crypters is also becoming more sophisticated. We can confirm that many crypters now use DLL sideloading, enabling the cryptor's payload to pose as a legitimate application file on the victim's device. This means that signature-based solutions will find it impossible to recognize these files as malicious.
Based on our research, Morphisec can now clarify that three different RATs are being used as payloads, indicating that the threat actor's goal is to steal credentials for other crypto wallets.
Morphisec Stops These Attacks with Moving Target Defense
Last year’s investigation into Babadeda showed that the crypter is highly obfuscated during execution and deployment. Now able to hide within trusted applications, crypters like Babadeda are entirely invisible to signature and behavior-based malware detection tools.
However, one thing hasn't changed: Morphisec can still detect and stop these advanced crypter attacks before they compromise targeted devices. The reason why is that our Moving Target Defence technology doesn't rely on scanning files for recognizable threats or knowing whether or not it can trust an application. Instead, Morphisec stops threats by morphing device memory and confusing and trapping in-memory attacks like Babadeda in real-time.
Our New BDCrypter Report
Essential reading for security professionals, our report covers the above developments in detail. We also include the technical details of the attack and let defenders know the IOCs they need to look out for. Download the report “Journey of a Crypto Scammer - NFT-001” to read the full analysis.
IOCs
Decoy websites
Domains
IP Addresses
File Servers
Domains
IP Addresses
C2 Servers
IP Addresses
Fake applications
SHA256 Hashes
.png?width=571&height=160&name=iso27001-(2).png)