Parallax RAT Attacks Cryptocurrency Companies With Complex Injection Methods

Cryptocurrency organizations have become a new target for attack as part of a malicious campaign to spread the Parallax remote access trojan RAT. Malware “uses injection techniques to hide in legitimate processes, making it harder to detect,” it says. new report uptycs. “Once the Trojan has been successfully injected, the attackers can interact with their victim via Windows Notepad, which likely serves as a communication channel.”

Parallax RAT gives hackers remote access to compromised computers. It comes with features for uploading and downloading files, as well as recording keystrokes and screenshots.

Parallax has been in use since early 2020 and has previously been delivered with COVID-19 themed lures. In February 2022 the company Proofpoint described in detail a grouping, codenamed TA2541, targeting the aviation, aerospace, transportation, manufacturing, and defense industries using various variants of the RAT, including Parallax.

The Parallax payload is Visual C++ malware that uses the “Process Hollowing” to inject Parallax into a legitimate Windows component called pipanel.exe. In addition to collecting system metadata, the malware can also access information stored on the clipboard and even remotely reboot or shut down the compromised machine.

The way cybercriminals operate involves the use of publicly available tools such as DNSdumpster, to identify mail servers belonging to target companies. Identification takes place using the records of the companies’ mail exchanger. And then the attackers send phishing emails containing Parallax RAT malware there.

One notable aspect of the attacks is the use of a standard notepad utility to initiate conversations with victims and redirect them to the attackers’ Telegram channel. Analysis of this Telegram channel by specialists Uptycs revealed that hackers are showing interest in crypto-currency companies such as investment firms, exchanges, and wallet service providers.

“One of the reasons Telegram is attractive to cybercriminals is its supposed built-in encryption and the ability to create channels and large private groups. These features make it difficult for law enforcement and security researchers to track and trace criminal activity on the platform. In addition, cybercriminals often use coded language and alternate spellings to communicate on Telegram, making it even more difficult to decipher their conversations. exhaustive analysis KELA published last month.