Cryptocurrency companies have been targeted as part of a new campaign delivering a remote access Trojan called Parallax RAT.
In a new report, Uptycs says the malware “uses injection techniques to hide inside legitimate processes, making detection difficult.” “A successful infection allows the attacker to interact with the victim via Windows Notepad, which likely acts as a communication channel.”
Parallax RAT gives attackers remote access to the victim’s machine. It comes with file upload and download and keystroke and screen capture recording capabilities.
It has been in use since early 2020 and was previously delivered with COVID-19 themed lures. In February 2022, Proofpoint unveiled details of a cybercriminal threat actor dubbed TA2541 targeting the aviation, aerospace, transportation, manufacturing, and defense industries using various RATs, including Parallax. bottom.
The first payload is a Visual C++ malware that uses a process hollowing technique to inject the Parallax RAT into a legitimate Windows component called pipenel.exe.
In addition to collecting system metadata, the Parallax RAT can also access data stored on the clipboard and remotely reboot or shutdown compromised machines.
One notable aspect of the attack is using a notepad utility to initiate a conversation with the victim, instructing them to connect to an attacker-controlled Telegram channel.
An analysis of Telegram chats by Uptycs reveals that the attackers are interested in cryptocurrency companies such as investment firms, exchanges and wallet service providers.
The trick is to search public sources such as DNSdumpster to identify email servers belonging to the target company via mail exchanger (MX) records and send phishing emails containing Parallax RAT malware.
This development is partly due to Telegram becoming an increasingly hub for criminal activity and the platform’s lax moderation efforts, allowing threat actors to organize operations, distribute malware, steal data and Occurs when it is enabled to promote the sale of other illegal goods.
“One of the reasons Telegram is attractive to cybercriminals is its built-in encryption capabilities and the ability to create channels and large private groups,” KELA revealed in an in-depth analysis published last month. Did.
“These features make it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform.In addition, cybercriminals use coded language and alternate spellings to access Telegram messages. They often communicate via , making the conversation even more difficult to decipher.”
