Insights, news, education and announcements from PolySwarm

Parallax RAT Targeting Crypto

Written by The Hivemind | Mar 7, 2023 4:36:09 PM

Verticals Targeted: Cryptocurrency, DeFi, Finance 

Executive Summary

Uptycs recently reported on activity in which threat actors used Parallax RAT to target entities in the cryptocurrency sector.

Key Takeaways

  • Threat actors recently used Parallax RAT to target cryptocurrency entities. 
  • Parallax is typically distributed via phishing emails and spam campaigns.
  • In this campaign, two stages of payloads are used. 
  • Threat actors used Notepad to communicate with victims.

What is Parallax RAT?

Uptycs recently reported on activity in which threat actors used Parallax RAT to target entities in the cryptocurrency sector. Parallax is a RAT available for purchase on hacker forums since at least 2019. It is typically distributed via spam campaigns and phishing emails. In the recently observed activity, Parallax was targeting cryptocurrency organizations and using injection techniques to hide inside legitimate processes. Parallax’s capabilities include reading login credentials, accessing files, keylogging, remote desktop control, and remote control of victim machines.

The attack uses two stages of payloads. The first payload analyzed by Uptycs was written in Visual C++.  Parallax uses process hollowing to inject the second payload within legitimate processes, making it more difficult to detect. The malware creates a copy of itself in the Windows Startup folder to maintain persistence. 

The second payload is a 32 bit binary executable.This payload is used for gathering system information, for keylogging, and for remote control of the victim machine. Other information gathered includes the computer name, OS version, and data stored on the clipboard. The threat actors can use the malware to interact with the victim via Notepad, instructing them to connect to a Telegram channel. The threat actors can also shutdown or restart the infected system.

 

IOCs

PolySwarm has multiple samples associated with Parallax RAT.

c3a3c6015ffc1bc98b5a21f89e78049900e5796e67e098bead011a20a99e7b0d
5b86f9c50ea65d80beb33ba795d990cae58d4c0feb9a731ba27793516c441d7b

You can use the following CLI command to search for all Parallax RAT samples in our portal:
$ polyswarm link list -f Parallax 

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports