Babadeda is a crypter used to encrypt and obfuscate malicious payloads in what appear to be harmless application installers or programs.
Due to its complex obfuscation, it has a very low AV detection rate, and according to researchers at Morphisec, its infection rates are picking up speed.
The delivery chain begins on public Discord channels enjoying large viewership from a crypto-focused audience, such as new NFT drops or cryptocurrency discussions.
Phishing on Discord
A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.
Starting in May 2021, threat actors have been distributing remote access trojans obfuscated by Babadeda as a legitimate app on crypto-themed Discord channels.
The threat actors post on these channels or send private messages to prospective victims, inviting them to download a game or an app.
In some cases, the actors impersonate existing blockchain software projects like the “Mines of Dalarna” game.
Phishing post on DiscordSource: Morphisec If the user is tricked and clicks on the provided URL, they will end up on a decoy site that uses a cybersquatted domain that is easy to pass as the real one.
These domains use a valid LetsEncrypt certificate and support an HTTPS connection, making it even harder for careless users to spot the fraud. Comparison between a fake and real siteSource: Morphisec
Other decoy sites used in this campaign are listed below: Cloned sites created for malware distributionSource: Morphisec
The Babadeda deception
In the background, though, the execution of the malware continues, reading the steps from an XML file to execute new threads and load the DLL that will implement persistence. This persistence is done through a new startup folder item and the writing of a new registry Run key, both starting crypter’s primary executable.
If the user attempts to execute the installer, they will receive a fake error message to deceive the victim into thinking that nothing happened. The malware is downloaded upon clicking the “Play Now” or “Download app” buttons on the above sites, hiding in the form of DLLs and EXE files inside an archive that appears like any ordinary app folder at first glance.