Greetingghoul

GreetingGhoul is a sophisticated malware designed to steal cryptocurrency, primarily deployed through the DoubleFinger loader, a five-stage shellcode-style loader that hides payloads in PNG image files. First reported on June 12, 2023, the DoubleFinger loader uses a technique known as Process Doppelgänging to replace legitimate processes with a malicious payload containing GreetingGhoul. Once installed, the crypto-stealer schedules itself to run daily at a specific time, where it scans for crypto-wallet applications and steals sensitive data such as private keys and seed phrases. The malware also overlays the interface of cryptocurrency applications, intercepting user input to further its malicious activities. In October 2023, a novel malware crypter and loader named ASMCrypt was developed by cybercriminals. This new tool built upon the stealthy DoubleFinger loader's capabilities, facilitating the deployment of the GreetingGhoul cryptocurrency stealer. The evolution of these tools indicates an increasing sophistication among cybercriminal groups and highlights the ongoing threat to cryptocurrency assets. All known indicators of compromise related to DoubleFinger and GreetingGhoul are available on the Anomali platform, with users advised to block these on their infrastructure to mitigate potential threats. The impact of GreetingGhoul has been substantial, with one campaign using a trojanized Tor browser to steal over $400,000 from more than 15,000 users across 52 countries. Another campaign used the DoubleFinger loader to install GreetingGhoul, which replaced the login window of common cryptocurrency wallets with an information-collecting duplicate. These campaigns demonstrate the malware's significant potential for financial damage and underscore the importance of robust cybersecurity measures, particularly for individuals and organizations dealing with cryptocurrencies.