Doublefinger

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

DoubleFinger, a sophisticated malware originating from China, was reported in June 2023 to be used in complex attacks aimed at stealing cryptocurrency. The malware operates as a five-stage, shellcode-style loader that conceals its payloads within PNG image files, which it downloads from the image-sharing platform Imgur.com. DoubleFinger's intricate multi-stage infection mechanism bears resemblance to attacks orchestrated by Advanced Persistent Threat (APT) actors and is associated with ChamelGang. It employs DNS-over-HTTPS and Tunneling techniques, and uses tools such as ChamelDoH, FRP, and LinuxPrivilegeElevator, making it a potent threat. The malware's operation involves installing a crypto-stealer and a remote access Trojan (RAT), both of which are designed to exploit and damage targeted systems, particularly those running on Linux. This stealthy loading process and payload deployment are intended to evade detection by antivirus and endpoint detection and response (EDR) systems. In addition to these threats, DoubleFinger abuses AES128, base64, and C++ to further its malicious activities. By October 2023, an evolved version of DoubleFinger, known as ASMCrypt, emerged. Developed by cybercriminals, ASMCrypt is a novel malware crypter and loader that builds upon the stealthy capabilities of DoubleFinger. It was initially used to facilitate the deployment of the GreetingGhoul cryptocurrency stealer. This evolution of DoubleFinger also serves as a gateway to the TOR network, enhancing its ability to conduct covert operations and posing an increased threat to cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Asmcrypt	2	ASMCrypt is a novel malware crypter and loader that was first detailed in October 2023. It is an evolution of the DoubleFinger malware loader, which was previously used to deploy the GreetingGhoul cryptocurrency stealer. ASMCrypt was developed by cybercriminals with the aim of loading the final payl

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Loader

Payload

Trojan

Malware

Remcos

Rat

Kaspersky

Phishing

Apt

Loader Malware

Malware Loader

Windows

Crypter

Antivirus

Shellcode

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Greetingghoul	Unspecified	4	GreetingGhoul is a sophisticated malware designed to steal cryptocurrency, primarily deployed through the DoubleFinger loader, a five-stage shellcode-style loader that hides payloads in PNG image files. First reported on June 12, 2023, the DoubleFinger loader uses a technique known as Process Doppel

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Doublefinger Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securelist	8 months ago	Kaspersky malware report for Q3 2023
CERT-EU	10 months ago	Novel BunnyLoader MaaS threat examined
CERT-EU	10 months ago	ALPHV/BlackCat ransomware attack hits major Michigan health system
CERT-EU	10 months ago	New ASMCrypt malware loader detailed
CERT-EU	10 months ago	Novel LostTrust ransomware operation emerges
CERT-EU	10 months ago	Android Banking Trojan Zanubis Evolves to Target Peruvian Users
CERT-EU	10 months ago	Cybercriminals Using New ASMCrypt Malware Loader Flying Under the Radar – GIXtools
CERT-EU	10 months ago	A cryptor, a stealer and a banking trojan - Cyber Security Review
InfoSecurity-magazine	10 months ago	Android Banking Trojan Zanubis Evolves to Target Peruvian Users
CERT-EU	10 months ago	Kaspersky crimeware report: ASMCrypt, Lumma and Zanubis
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
DARKReading	a year ago	Cryptocurrency Attacks Quadrupled as Cybercriminals Cash In
CERT-EU	a year ago	New Loader Delivering Spyware via Image Steals Cryptocurrency Info
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU	a year ago	Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer
InfoSecurity-magazine	a year ago	Crypto Wallets Under Attack By DoubleFinger Malware
Securelist	a year ago	DoubleFinger delivers GreetingGhoul cryptocurrency stealer
CERT-EU	a year ago	Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency – GIXtools