{
	"id": "8db771df-ec22-46e4-9b83-ebb697895f33",
	"created_at": "2026-04-06T00:06:37.101101Z",
	"updated_at": "2026-04-10T03:21:27.755648Z",
	"deleted_at": null,
	"sha1_hash": "72131717d5ecd936708956f11e93ecb500734b65",
	"title": "Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 277326,
	"plain_text": "Sneaky DoubleFinger loads GreetingGhoul targeting your\r\ncryptocurrency\r\nBy GReAT\r\nPublished: 2023-06-12 · Archived: 2026-04-05 19:44:09 UTC\r\nIntroduction\r\nStealing cryptocurrencies is nothing new. For example, the Mt. Gox exchange was robbed of many bitcoins back\r\nin the beginning of 2010s. Attackers such as those behind the Coinvault ransomware were after your Bitcoin\r\nwallets, too. Since then, stealing cryptocurrencies has continued to occupy cybercriminals.\r\nOne of the latest additions to this phenomenon is the multi-stage DoubleFinger loader delivering a cryptocurrency\r\nstealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an\r\nemail message, ultimately executing the first of DoubleFinger’s loader stages.\r\nDoubleFinger stage 1\r\nThe first stage is a modified “espexe.exe” (MS Windows Economical Service Provider Application) binary, where\r\nthe DialogFunc is patched so that a malicious shellcode is executed. After resolving API functions by hash, which\r\nwere added to DialogFunc, the shellcode downloads a PNG image from Imgur.com. Next, the shellcode searches\r\nfor the magic bytes (0xea79a5c6) in the downloaded image, locating the encrypted payload within the image.\r\nReal DialogFunc function (left) and patched function with shellcode (right)\r\nThe encrypted payload consists of:\r\n1. 1 A PNG with the fourth-stage payload;\r\n2. 2 An encrypted data blob;\r\n3. 3 A legitimate java.exe binary, used for DLL sideloading;\r\n4. 4 The DoubleFinger stage 2 loader.\r\nDoubleFinger stage 2\r\nThe second-stage shellcode is loaded by executing the legitimate Java binary located in the same directory as the\r\nstage 2 loader shellcode (the file is named msvcr100.dll). Just as the first stage, this file is a legitimate patched\r\nbinary, having similar structure and functionality as the first stage.\r\nTo no one’s surprise, the shellcode loads, decrypts and executes the third stage shellcode.\r\nDoubleFinger stage 3\r\nhttps://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/\r\nPage 1 of 5\n\nThe third-stage shellcode differs greatly from the first and second stages. For example, it uses low-level Windows\r\nAPI calls, and ntdll.dll is loaded and mapped in the process memory to bypass hooks set by security solutions.\r\nNext step is to decrypt and execute the fourth-stage payload, located in the aforementioned PNG file. Unlike the\r\ndownloaded PNG file, which does not display a valid image, this PNG file does. The steganography method used\r\nis, however, rather simple, as the data is retrieved from specific offsets.\r\nThe aa.png file with embedded Stage 4\r\nDoubleFinger stage 4\r\nThe stage 4 shellcode is rather simple. It locates the fifth stage within itself and then uses the Process\r\nDoppelgänging technique to execute it.\r\nhttps://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/\r\nPage 2 of 5\n\nDoubleFinger stage 5\r\nThe fifth stage creates a scheduled task that executes the GreetingGhoul stealer every day at a specific time. It\r\nthen downloads another PNG file (which is actually the encrypted GreetingGhoul binary prepended with a valid\r\nPNG header), decrypts it and then executes it.\r\nGreetingGhoul \u0026 Remcos\r\nGreetingGhoul is a stealer designed to steal cryptocurrency-related credentials. It essentially consists of two major\r\ncomponents that work together:\r\n1. 1 A component that uses MS WebView2 to create overlays on cryptocurrency wallet interfaces;\r\n2. 2 A component that detects cryptocurrency wallet apps and steals sensitive information (e.g. recovery\r\nphrases).\r\nExamples of fake windows\r\nhttps://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/\r\nPage 3 of 5\n\nWith hardware wallets, a user should never fill their recovery seed on the computer. A hardware wallets vendor\r\nwill never ask for that.\r\nNext to GreetingGhoul we also found several DoubleFinger samples that downloaded the Remcos RAT. Remcos\r\nis a well-known commercial RAT often used by cybercriminals. We’ve seen it being utilized in targeted attacks\r\nagainst businesses and organizations.\r\nVictims \u0026 Attribution\r\nWe found several pieces of Russian text in the malware. The first part of the C2 URL is “Privetsvoyu” which is a\r\nmisspelled transliteration of the Russian word for “Greetings.” Secondly, we found the string\r\n“salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu.” Despite the weird transliteration, it\r\nroughly translates to: “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our\r\narea of interest.”\r\nLooking at the victims, we see them in Europe, the USA and Latin America. This is in accordance with the old\r\nadage that cybercriminals from CIS countries don’t attack Russian citizens. Although the pieces of Russian text\r\nand the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space.\r\nConclusion\r\nOur analysis of the DoubleFinger loader and GreetingGhoul malware reveals a high level of sophistication and\r\nskill in crimeware development, akin to advanced persistent threats (APTs). The multi-staged, shellcode-style\r\nloader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the\r\nimplementation of Process Doppelgänging for injection into remote processes all point to well-crafted and\r\ncomplex crimeware. The use of Microsoft WebView2 runtime to create counterfeit interfaces of cryptocurrency\r\nwallets further underscores the advanced techniques employed by the malware.\r\nTo protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest\r\nTTPs used by criminals, or have questions about our private reports, please contact\r\ncrimewareintel@kaspersky.com.\r\nIndicators of compromise\r\nDoubleFinger\r\na500d9518bfe0b0d1c7f77343cac68d8\r\ndbd0cf87c085150eb0e4a40539390a9a\r\n56acd988653c0e7c4a5f1302e6c3b1c0\r\n16203abd150a709c0629a366393994ea\r\nd9130cb36f23edf90848ffd73bd4e0e0\r\nGreetingGhoul\r\n642f192372a4bd4fb3bfa5bae4f8644c\r\na9a5f529bf530d0425e6f04cbe508f1e\r\nhttps://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/\r\nPage 4 of 5\n\nC2\r\ncryptohedgefund[.]us\r\nSource: https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/\r\nhttps://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/"
	],
	"report_names": [
		"109982"
	],
	"threat_actors": [],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72131717d5ecd936708956f11e93ecb500734b65.pdf",
		"text": "https://archive.orkl.eu/72131717d5ecd936708956f11e93ecb500734b65.txt",
		"img": "https://archive.orkl.eu/72131717d5ecd936708956f11e93ecb500734b65.jpg"
	}
}