Doublefinger

Malware updated 7 months ago (2024-05-04T20:35:05.998Z)
Download STIX
Preview STIX
DoubleFinger, a sophisticated malware originating from China, was reported in June 2023 to be used in complex attacks aimed at stealing cryptocurrency. The malware operates as a five-stage, shellcode-style loader that conceals its payloads within PNG image files, which it downloads from the image-sharing platform Imgur.com. DoubleFinger's intricate multi-stage infection mechanism bears resemblance to attacks orchestrated by Advanced Persistent Threat (APT) actors and is associated with ChamelGang. It employs DNS-over-HTTPS and Tunneling techniques, and uses tools such as ChamelDoH, FRP, and LinuxPrivilegeElevator, making it a potent threat. The malware's operation involves installing a crypto-stealer and a remote access Trojan (RAT), both of which are designed to exploit and damage targeted systems, particularly those running on Linux. This stealthy loading process and payload deployment are intended to evade detection by antivirus and endpoint detection and response (EDR) systems. In addition to these threats, DoubleFinger abuses AES128, base64, and C++ to further its malicious activities. By October 2023, an evolved version of DoubleFinger, known as ASMCrypt, emerged. Developed by cybercriminals, ASMCrypt is a novel malware crypter and loader that builds upon the stealthy capabilities of DoubleFinger. It was initially used to facilitate the deployment of the GreetingGhoul cryptocurrency stealer. This evolution of DoubleFinger also serves as a gateway to the TOR network, enhancing its ability to conduct covert operations and posing an increased threat to cybersecurity.
Description last updated: 2024-05-04T16:47:35.945Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Asmcrypt is a possible alias for Doublefinger. ASMCrypt, a novel malware crypter and loader, has been developed by cybercriminals to evade detection and load the final payload undetected by antivirus or EDR systems. First discovered on underground forums, ASMCrypt builds upon the stealthy DoubleFinger malware loader, previously used to facilitat
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Loader
Malware
Payload
Trojan
Remcos
Kaspersky
Rat
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Greetingghoul Malware is associated with Doublefinger. GreetingGhoul is a sophisticated malware designed to steal cryptocurrency, primarily deployed through the DoubleFinger loader, a five-stage shellcode-style loader that hides payloads in PNG image files. First reported on June 12, 2023, the DoubleFinger loader uses a technique known as Process DoppelUnspecified
4
Source Document References
Information about the Doublefinger Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
Securelist
a year ago
CERT-EU
a year ago