New DoubleFinger Malware Strikes Cryptocurrency Wallets

DoubleFinger Malware: Two-Fold Attack on Cryptocurrency Wallets with GreetingGhoul Stealer.

DoubleFinger malware downloads encrypted components from, a seemingly innocent image-sharing platform that disguises the files as PNG images.

In a recent report released by cybersecurity experts at Kaspersky, a new strain of malware named “DoubleFinger” has emerged as a serious concern for cryptocurrency enthusiasts.

The emergence of DoubleFinger malware, equipped with a multistage attack strategy resembling an advanced persistent threat (APT), showcases the increasing sophistication of malicious actors in the realm of crimeware development.

The malware operates by initiating a series of events triggered by a malicious email attachment that contains a PIF file. Once the attachment is opened, DoubleFinger malware downloads encrypted components from, a seemingly innocent image-sharing platform that disguises the files as PNG images. These components include a loader for the subsequent stages, a legitimate java.exe file, and another PNG file to be utilized later in the attack.

In its report, Kaspersky Team wrote that after executing the loader, DoubleFinger malware skillfully evades security software and progresses to the subsequent stages. In the fourth stage, it employs a technique called Process Doppelganging to replace a legitimate process with a modified version, housing the fifth-stage payload. This payload installs the infamous GreetingGhoul crypto stealer, scheduled to run daily and specifically target victims’ crypto wallets including Ledger and Trezor.

New "DoubleFinger" Malware Strikes Cryptocurrency Wallets
Fake Windows for famous wallets aiming at stealing data (Left) – The malicious image file (Right) – Credit: Kaspersky

Kaspersky’s technical analysis of GreetingGhoul reveals its dual functionality. The first component identifies crypto-wallet applications within the system and steals valuable data, including private keys and seed phrases. The second component overlays the interfaces of cryptocurrency applications, intercepts user input, and grants cybercriminals control over and access to the victims’ funds.

It is worth noting that certain variations of DoubleFinger malware also install the remote access Trojan Remcos, granting cybercriminals complete control over the infected system. This further exacerbates the risks associated with the malware and emphasizes the need for proactive measures to protect against such attacks.

To safeguard cryptocurrency wallets, Kaspersky recommends a range of preventive actions, including maintaining a vigilant stance against scams, diversifying wallet usage, being aware of vulnerabilities associated with cold wallets, and purchasing hardware wallets exclusively from official sources, among other precautions.

Kaspersky’s Sergey Lozhkin stressed the importance of collective responsibility, stating, “Protecting crypto wallets is a shared responsibility between the wallet providers, individuals, and the broader cryptocurrency community.”

By remaining vigilant, implementing robust security measures, and staying informed about the latest threats, users can mitigate the risks associated with DoubleFinger malware and ensure the safety of their valuable digital assets.

As the battle between cybercriminals and security experts continues, cryptocurrency enthusiasts must remain proactive and stay one step ahead of those seeking to exploit the rapidly evolving world of digital currencies.

  1. Bandit Stealer Stealing Crypto from Windows PCs
  2. Namecheap Phishing Emails Hacking Crypto Wallets
  3. MortalKombat Ransomware Aiming for Crypto Wallets
  4. “GodFather” Android Malware Hits Crypto Wallets Apps
  5. Cracked Software: BHUNT password stealer hits crypto funds
Related Posts