Cryptocurrency Traders Beware: New Malware Exploits RDPWrapper and Tailscale

Cyble Research and Intelligence Labs (CRIL) has uncovered a sophisticated cyberattack campaign targeting cryptocurrency users. This multi-stage attack utilizes a combination of phishing emails, malicious shortcut files, PowerShell scripts, and legitimate software like RDPWrapper and Tailscale to gain unauthorized access to victims’ computers.

Infection Chain | Image: CRIL

The attack initiates with a Zip archive containing a malicious shortcut (.lnk) file. The origin of this Zip file remains unknown, but it is suspected to be disseminated through phishing emails. Upon execution, the .lnk file triggers a PowerShell script download, which then facilitates the attacker’s access via Remote Desktop Protocol (RDP). To deceive victims, a decoy PDF related to cryptocurrency trading on the CoinDCX platform is displayed, suggesting a potential focus on Indian users.

The campaign employs a variety of components, including PowerShell scripts, batch files, Go-based binaries, and vulnerable drivers. One notable aspect is the use of the Terminator (Spyboy) driver, indicating a planned Windows BYOVD (Bring Your Own Vulnerable Driver) attack, which could be executed once remote connection is established.

The initial infection begins with a .lnk file executing a command to download and run an obfuscated PowerShell script. This script creates mutexes to ensure only one instance runs and checks User Account Control (UAC) status. If UAC is disabled, it adds exclusions to Windows Defender to prevent detection and drops a binary executable to the %AppData%\Roaming directory.

The dropped binary, a 64-bit Go-based loader, executes with elevated privileges and displays a decoy PDF about cryptocurrency trading on CoinDCX. It then generates a batch script to download additional executable files from specific URLs, renaming them to evade detection. This script performs anti-virtualization and anti-debugging checks, terminates processes related to malware analysis, and sets up the RDPWrapper and Tailscale.

The attackers have ingeniously utilized legitimate applications to facilitate their malicious activities. RDPWrapper is used to enable multiple RDP sessions per user, circumventing the typical single session limitation. Additionally, Tailscale, a virtual private network (VPN) application, is used to connect the victim’s machine to the attacker’s private network. Tailscale allows devices to connect directly using encrypted connections and includes a web-based management service for easy administration and configuration.

To ensure persistence and avoid detection, the PowerShell script modifies several registry entries to disable notifications, restrict system functionalities, and prevent specific services from running. It creates a new local user account with administrative privileges and uses Chocolatey to install Tailscale. The script also configures the system to allow multiple RDP sessions and relaxes security policies.

Once in control, the attackers can steal sensitive information, such as cryptocurrency wallet credentials, banking details, or personal data. They could also deploy ransomware, demanding payment in cryptocurrency to unlock the victim’s files. Additionally, the compromised system can serve as a beachhead for further lateral movement within the victim’s network, potentially compromising other devices and causing widespread damage.

To mitigate the risk of falling victim to this campaign, we recommend that users exercise caution when opening emails from unknown senders, especially those related to cryptocurrency. Avoid clicking on suspicious links or downloading attachments from untrusted sources. Furthermore, keeping security software up to date and enabling multi-factor authentication (MFA) for online accounts can significantly enhance security posture.