Greetingghoul

Malware updated 15 days ago (2024-11-29T14:28:23.638Z)
Download STIX
Preview STIX
GreetingGhoul is a sophisticated malware designed to steal cryptocurrency, primarily deployed through the DoubleFinger loader, a five-stage shellcode-style loader that hides payloads in PNG image files. First reported on June 12, 2023, the DoubleFinger loader uses a technique known as Process Doppelgänging to replace legitimate processes with a malicious payload containing GreetingGhoul. Once installed, the crypto-stealer schedules itself to run daily at a specific time, where it scans for crypto-wallet applications and steals sensitive data such as private keys and seed phrases. The malware also overlays the interface of cryptocurrency applications, intercepting user input to further its malicious activities. In October 2023, a novel malware crypter and loader named ASMCrypt was developed by cybercriminals. This new tool built upon the stealthy DoubleFinger loader's capabilities, facilitating the deployment of the GreetingGhoul cryptocurrency stealer. The evolution of these tools indicates an increasing sophistication among cybercriminal groups and highlights the ongoing threat to cryptocurrency assets. All known indicators of compromise related to DoubleFinger and GreetingGhoul are available on the Anomali platform, with users advised to block these on their infrastructure to mitigate potential threats. The impact of GreetingGhoul has been substantial, with one campaign using a trojanized Tor browser to steal over $400,000 from more than 15,000 users across 52 countries. Another campaign used the DoubleFinger loader to install GreetingGhoul, which replaced the login window of common cryptocurrency wallets with an information-collecting duplicate. These campaigns demonstrate the malware's significant potential for financial damage and underscore the importance of robust cybersecurity measures, particularly for individuals and organizations dealing with cryptocurrencies.
Description last updated: 2024-05-04T16:47:37.716Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Loader
Malware
Remcos
Kaspersky
Trojan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Doublefinger Malware is associated with Greetingghoul. DoubleFinger, a sophisticated malware originating from China, was reported in June 2023 to be used in complex attacks aimed at stealing cryptocurrency. The malware operates as a five-stage, shellcode-style loader that conceals its payloads within PNG image files, which it downloads from the image-shUnspecified
4