Parallax Rat attacks cryptocurrency companies using complex implementation methods

Cryptocurrency organizations have become a new target for attack as part of a malicious campaign to spread the Trojan Remote Access Parallax Rat. Malicious software “uses implementation methods to hide in legal processes, which makes it difficult to detect,” says New Report uptycs. “After Trojan was successfully introduced, attackers can interact with their victim through the Windows notebook, which probably serves the communication channel.”

Parallax Rat provides hackers with remote access to compromised computers. It is supplied with functions for downloading and downloading files, as well as recording keystrokes and screen shots.

Parallax has been used since the beginning of 2020 and was previously delivered using baits on the Covid-19 theme. In February 2022, Proofpoint described in detail The coden name TA2541, aimed aviation, aerospace, transport, production and defense industries, using various RAT options, including Parallax.

The payload of Parallax is a malicious Visual C ++ that uses the “Process Hollowing” method to introduce Parallax into the legal component of Windows called Pipanel.exe. In addition to collecting systemic metadata, harmfulness can also access information stored in the exchange buffer, and even remotely restart or turn off the compromised machine.

The method of work of cybercriminals includes the use of publicly accessible tools, such as DNSDumpster, to identify postal servers belonging to target companies. Identification occurs using the entries of a postal exchanger of companies. And then the attackers send phishing emails there, containing malicious Parallax Rat.

One of the notable aspects of attacks is the use of the standard notebook utility to initiate conversations with victims and redirect them to the Telegram channel of attackers. Analysis of this Telegram channel by Uptycs experts showed that hackers show interest in cryptocurrency companies such as investment companies, exchanges and suppliers of wallet services.

“One of the reasons for the attractiveness of Telegram for cybercriminals is the alleged built -in encryption and the ability to create channels and large private groups. These functions interfere with law enforcement agencies and researchers in the field of security to track criminal activity on the platform. In addition, cybercriminals often use an encoded language and alternative spelling options for communication in Telegram, which further complicates the decoding of their conversations, ”the comprehensive analysis kla, published last month.

/Media reports cited above.