Verticals Targeted: Cryptocurrency, DeFi, Finance
Uptycs recently reported on activity in which threat actors used Parallax RAT to target entities in the cryptocurrency sector.
Uptycs recently reported on activity in which threat actors used Parallax RAT to target entities in the cryptocurrency sector. Parallax is a RAT available for purchase on hacker forums since at least 2019. It is typically distributed via spam campaigns and phishing emails. In the recently observed activity, Parallax was targeting cryptocurrency organizations and using injection techniques to hide inside legitimate processes. Parallax’s capabilities include reading login credentials, accessing files, keylogging, remote desktop control, and remote control of victim machines.
The attack uses two stages of payloads. The first payload analyzed by Uptycs was written in Visual C++. Parallax uses process hollowing to inject the second payload within legitimate processes, making it more difficult to detect. The malware creates a copy of itself in the Windows Startup folder to maintain persistence.
The second payload is a 32 bit binary executable.This payload is used for gathering system information, for keylogging, and for remote control of the victim machine. Other information gathered includes the computer name, OS version, and data stored on the clipboard. The threat actors can use the malware to interact with the victim via Notepad, instructing them to connect to a Telegram channel. The threat actors can also shutdown or restart the infected system.
IOCs
PolySwarm has multiple samples associated with Parallax RAT.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports