Discovered by cybersecurity researchers at Morphisec, the “sophisticated” campaign aims to distribute a malware strain named Babadeda.
“We know that this malware installer [Babadeda] has been used in a variety of recent campaigns to deliver information stealers, RATs [remote access trojans], and even LockBit ransomware,” share the researchers.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
Worse still, the researchers observe that Babadeda uses complex obfuscation to bypass most traditional signature-based antivirus solutions.
In their breakdown of the malware, the researchers note that the infection chain begins with the threat actors phishing users interested in crypto and NFTs by sending misleading private messages, asking them to download an app in order to access new features and additional benefits.
What makes the campaign worth paying attention to is the lengths the threat actors go to in an effort to trick victims into installing Babadeda.
“Because the actor created a Discord bot account on the official company discord channel, they were able to successfully impersonate the channel’s official account,” note the researchers.
Furthermore, the attackers use several other measures to ensure that the delivery chain looks legitimate even to technical users. For instance, they use cybersquatting to make the URLs of the decoy websites resemble that of genuine ones, and in addition to mimic the user interface, also use SSL certificates dished out by Let’s Encrypt to lend an air of legitimacy to the deception.