Cryptocurrency companies are being targeted as part of a new campaign that delivers a remote access trojan called Parallax RAT.
The malware "uses injection techniques to hide within legitimate processes, making it difficult to detect," Uptycs said in a new report. "Once it has been successfully injected, attackers can interact with their victim via Windows Notepad that likely serves as a communication channel."
Parallax RAT grants attackers remote access to victim machines. It comes with features to upload and download files as well as record keystrokes and screen captures.
It has been put to use since early 2020 and was previously delivered via COVID-19-themed lures. In February 2022, Proofpoint detailed an activity cluster dubbed TA2541 targeting aviation, aerospace, transportation, manufacturing, and defense industries using different RATs, including Parallax.
The first payload is a Visual C++ malware that employs the process hollowing technique to inject Parallax RAT into a legitimate Windows component called pipanel.exe.
Parallax RAT, besides gathering system metadata, is also capable of accessing data stored in the clipboard and even remotely rebooting or shutting down the compromised machine.
One notable aspect of the attacks is the use of the Notepad utility to initiate conversations with the victims and instruct them to connect to an actor-controlled Telegram channel.
Uptycs' analysis of the Telegram chats reveals that the threat actor has an interest in crypto companies such as investment firms, exchanges, and wallet service providers.
The modus operandi entails searching public sources like DNSdumpster for identifying mail servers belonging to the targeted companies via their mail exchanger (MX) records and sending phishing emails bearing the Parallax RAT malware.
The development comes as Telegram is increasingly becoming a hub for criminal activities, enabling threat actors to organize their operations, distribute malware, and facilitate the sale of stolen data and other illegal goods in part owing to the platform's lax moderation efforts.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
"One reason why Telegram is attractive to cybercriminals is its alleged built-in encryption and the ability to create channels and large, private groups," KELA disclosed in an exhaustive analysis published last month.
"These features make it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform. In addition, cybercriminals often use coded language and alternative spellings to communicate on Telegram, making it even more challenging to decipher their conversations."