Doublefinger

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
DoubleFinger, a sophisticated malware originating from China, was reported in June 2023 to be used in complex attacks aimed at stealing cryptocurrency. The malware operates as a five-stage, shellcode-style loader that conceals its payloads within PNG image files, which it downloads from the image-sharing platform Imgur.com. DoubleFinger's intricate multi-stage infection mechanism bears resemblance to attacks orchestrated by Advanced Persistent Threat (APT) actors and is associated with ChamelGang. It employs DNS-over-HTTPS and Tunneling techniques, and uses tools such as ChamelDoH, FRP, and LinuxPrivilegeElevator, making it a potent threat. The malware's operation involves installing a crypto-stealer and a remote access Trojan (RAT), both of which are designed to exploit and damage targeted systems, particularly those running on Linux. This stealthy loading process and payload deployment are intended to evade detection by antivirus and endpoint detection and response (EDR) systems. In addition to these threats, DoubleFinger abuses AES128, base64, and C++ to further its malicious activities. By October 2023, an evolved version of DoubleFinger, known as ASMCrypt, emerged. Developed by cybercriminals, ASMCrypt is a novel malware crypter and loader that builds upon the stealthy capabilities of DoubleFinger. It was initially used to facilitate the deployment of the GreetingGhoul cryptocurrency stealer. This evolution of DoubleFinger also serves as a gateway to the TOR network, enhancing its ability to conduct covert operations and posing an increased threat to cybersecurity.
What's your take? (Question 1 of 5)
5db2f4d0-2340-4125-8597-b1ed7f26f2c9 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Asmcrypt
2
ASMCrypt is a novel malware crypter and loader that has been developed by cybercriminals, as reported on October 2, 2023. The malware builds upon the stealthy DoubleFinger malware loader, which was previously used to facilitate GreetingGhoul cryptocurrency stealer deployment. ASMCrypt's emergence co
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Loader
Malware
Payload
Trojan
Remcos
Kaspersky
Rat
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GreetingghoulUnspecified
4
GreetingGhoul is a sophisticated malware designed to steal cryptocurrency, primarily deployed through the DoubleFinger loader, a five-stage shellcode-style loader that hides payloads in PNG image files. First reported on June 12, 2023, the DoubleFinger loader uses a technique known as Process Doppel
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Doublefinger Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency – GIXtools
Securelist
a year ago
DoubleFinger delivers GreetingGhoul cryptocurrency stealer
CERT-EU
9 months ago
IT threat evolution Q2 2023
InfoSecurity-magazine
a year ago
Crypto Wallets Under Attack By DoubleFinger Malware
CERT-EU
9 months ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
8 months ago
Kaspersky crimeware report: ASMCrypt, Lumma and Zanubis
CERT-EU
a year ago
Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU
a year ago
Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer
CERT-EU
a year ago
New Loader Delivering Spyware via Image Steals Cryptocurrency Info
Securelist
6 months ago
Kaspersky malware report for Q3 2023
CERT-EU
8 months ago
Cybercriminals Using New ASMCrypt Malware Loader Flying Under the Radar – GIXtools
DARKReading
a year ago
Cryptocurrency Attacks Quadrupled as Cybercriminals Cash In
CERT-EU
8 months ago
New ASMCrypt malware loader detailed
CERT-EU
8 months ago
Novel LostTrust ransomware operation emerges
CERT-EU
8 months ago
ALPHV/BlackCat ransomware attack hits major Michigan health system
CERT-EU
8 months ago
A cryptor, a stealer and a banking trojan - Cyber Security Review
CERT-EU
8 months ago
Android Banking Trojan Zanubis Evolves to Target Peruvian Users
InfoSecurity-magazine
8 months ago
Android Banking Trojan Zanubis Evolves to Target Peruvian Users
CERT-EU
8 months ago
Novel BunnyLoader MaaS threat examined