The Babadeda crypter is being used in a new malware campaign on Discord to disguise malware that attacks the crypto, NFT, and DeFi groups. Babadeda is a crypter that encrypts and obfuscates dangerous payloads hidden inside seemingly innocent application packages or programs.
On crypto-themed Discord groups, threat actors have been distributing remote access trojans camouflaged by Babadeda as a legitimate program since May 2021. Due to its intricate obfuscation, it has a meager AV detection rate, and according to Morphisec experts, its infection rates are increasing.
The distribution chain starts in public Discord channels with an influential crypto-focused audience, such as fresh NFT drops or cryptocurrency debates. Threat actors use these channels or send private messages to potential victims to encourage them to download an app or game. The actors, in some cases, imitate current blockchain software initiatives, such as the “Mines of Dalarna” game.
If the user is duped and clicks on the supplied URL, they will be sent to a decoy site with a cybersquatted domain that can easily be mistaken for the actual one. These domains are protected by a legitimate LetsEncrypt certificate and an HTTPS connection, making it even more difficult for unwary customers to detect the scam.
When users click the “Play Now” or “Download app” buttons on the trap sites, malware gets downloaded in the form of DLLs and EXE files within an archive that seems like any other software folder at first sight. If the user tries to run the installer, they will get a bogus error message that will make the victim believe nothing happened.
However, the malware’s execution continues in the background, following the instructions from an XML file to start new threads and load the DLL that would provide persistence. It is accomplished by creating a new startup folder item and writing a new registry Run key, both of which launch crypter’s primary executable.
Babadeda has been used in previous malware operations to distribute info-stealers, RATs, and even the LockBit ransomware, but Morphisec spotted Remcos and BitRAT being dropped in this campaign. Because the effort is aimed at crypto community members, it’s suspected that they’re targeting their wallets, cryptocurrency monies, and NFT assets.