The new Babadeda crypter has been discovered breaching Discord channels and targeting the crypto, NFT, and DeFi communities.
Hackers, allegedly of Russian origin, are concealing their payloads in application installers or programmes that appear to users to be harmless. According to reports, hackers approach crypto-themed Discord channels or communities or send private messages to potential victims, urging them to download a game or app. Threat actors have been observed impersonating the action and adventure game Mines of Dalarna in some cases. The malware employs a complex obfuscation technique that is resistant to AV detection. Babadeda actors have been linked to the distribution of information stealers, RATs, and even the LockBit ransomware. They are currently distributing Remcos and BitRAT as part of the ongoing campaign.
Despite the fact that Remcos is commonly used by hackers for remote surveillance and stealing account credentials and browser cookies, researchers believe Babadeda is after crypto wallet and NFT assets this time.
Hackers create bot accounts on Discord for official companies. Users who click on the “Play Now” or “Download app” buttons are redirected to a bogus site hosted on a cybersquatted domain. These domains have a valid LetsEncrypt certificate and an HTTPS connection, making it even more difficult for unwary users to detect the fraud. Babadeda achieves persistence by creating a new startup folder and a new registry Run key; both are the crypter’s main executable. The Decryption and Loader shellcodes complete the remaining task.
If your crypto tokens were stolen, you should contact the customer service of your crypto exchange or wallet to take action to avoid token loss. Second, change your password immediately. What are the chances of getting your tokens back? Even if you use public ledgers to trace the currency, the amount is very small. Also, make it a habit to keep cryptocurrency and coins in hardware wallets.