New Malware ‘Babadeda’ is Targeting Crypto Users on Discord

A highly sophisticated and very dangerous crypter is loose in the crypto community. It has been named the Babadeda crypter and is targeting NFT and DeFi users.

Babadeda translates to “Grandma-Grandpa” – a Russian language placeholder used by the crypter itself, giving away hints to its origin. The malware is targeting cryptocurrency enthusiasts on the popular crypto community chat app Discord. Since May this year, bad actors have been fooling users into downloading Babadeda, disguised as a legitimate app.

The scammers are able to lure victims by taking over popular crypto channels in the NFT and DeFi communities on Discord, posing very convincingly as the official Admin. Users are being fooled into clicking on and downloading a malicious file that will install the crypter on their machine. The code is so sneaky that it is able to evade detection by most anti-malware software, successfully hiding within the computer’s files by masquerading as a known application.

Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine – or of stopping it from executing.

Advertisement

Morphisec blog

Links to Babadeda Posted as Official Announcements

The threat actor sends users a private message or posts a link through the Admin chat inviting them to download an application related to the channel. Below is an example of the Discord Channel for blockchain-based action-adventure game Mines of Dalarnia, where a link to Babadeda has been posted as an official announcement, appearing to come from the channel’s own Admin account.

If a user clicks on the provided URL, they will be rerouted to a fake decoy site whose branding is almost exactly the same as that of the project it is imitating. The attackers use very advanced measures to ensure the delivery chain looks legitimate, even to the most technically aware users. Through cybersquatting, they can make the URLs of the decoy websites resemble those of genuine ones. They even use SSL certificates generated by Let’s Encrypt to further appear completely legitimate and add to the deception.

When the user clicks on “download app” from the decoy site, the malicious installer embeds the Babadeda crypter onto the victim’s machine. Then it’s game over.

Discord is a Dangerous Place for the Average Degen

The takeaway: be careful and go slowly. Discord is rife with scams like this. You can have all the fancy malware protection money can buy, but if you accidentally click on a dodgy link and install a malicious application on your computer, you could leave yourself open to an attacker who can empty the contents of your crypto wallet quicker than you can figure out what happened.

In related news, two weeks ago Crypto News Australia reported on the Fake MetaMask Google Ad scam, a phishing/ad scam directing victims to the fake site maskmeta, instead of the official metamask.io url. It’s another cautionary tale.