Cryptocurrency organizations have become a new target for attack as part of a malicious campaign to distribute the Parallax RAT remote access trojan. Malware “uses injection techniques to hide in legitimate processes, making it harder to detect,” according to a new Uptycs report. "Once the Trojan has been successfully injected, the attackers can interact with their victim via Windows Notepad, which likely serves as a communication channel."
Parallax RAT gives hackers remote access to compromised computers. It comes with features for uploading and downloading files, as well as recording keystrokes and screenshots.
Parallax has been in use since early 2020 and has previously been delivered with COVID-19 themed lures. In February 2022, Proofpoint detailed a grouping codenamed TA2541 targeting the aviation, aerospace, transportation, manufacturing and defense industries using various RAT variants, including Parallax.
The Parallax payload is Visual C++ malware that uses the "Process Hollowing" method to inject Parallax into a legitimate Windows component called pipanel.exe. In addition to collecting system metadata, the malware can also access information stored on the clipboard and even remotely reboot or shut down the compromised machine.
The way cybercriminals work involves using public tools such as DNSdumpster to identify mail servers owned by targeted companies. Identification takes place using the records of the companies' mail exchanger. And then the attackers send phishing emails containing Parallax RAT malware there.
One notable aspect of the attacks is the use of a standard notepad utility to initiate conversations with victims and redirect them to the criminals' Telegram channel. An analysis of this Telegram channel by Uptycs showed that hackers are showing interest in cryptocurrency companies, such as investment firms, exchanges, and wallet service providers.
“One of the reasons Telegram is attractive to cybercriminals is its supposed built-in encryption and the ability to create channels and large private groups. These features make it difficult for law enforcement and security researchers to track criminal activity on the platform. In addition, cybercriminals often use coded language and alternate spellings to communicate on Telegram, making their conversations even more difficult to decipher,” reads a comprehensive KELA analysis published last month.