Babadeda Crypter Detection

December 02, 2021 · 3 min read
Detecting Babadeda

Meet Babadeda, a new notorious crypter in the arsenal of threat actors. The malware has been actively leveraged by adversaries since May 2021 to bypass security protections and covertly deliver a variety of threats to unsuspecting victims. Multiple infostealers and remote access Trojans (RATs) have been deployed with the help of Babadeda. Moreover, LockBit maintainers also used it as a reliable way to obfuscate the ransomware payload and proceed with the successful infection.

What Is Babadeda Crypter? 

Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers’ analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.

Crypto, NFT, and DEFI Communities Under Fire

Security researchers from Morphisec, who first spotted Babadeda samples in the wild, report about a massive campaign aimed at crypto-focused communities. Particularly, Babadeda actors decided to take advantage of the booming NFT and crypto games market, targeting wealthy affiliates to steal credentials for crypto wallets and NFT assets. 

The attack chain starts from the dedicated Discord channels devoted to NFT drops or cryptocurrency hot news. Hackers join the discussions and send private messages to potential victims, prompting them to download a new game or application. On some occasions, Babadeda actors impersonate the existing blockchain projects, like “Mines of Dalarna.”

In case the victims are tricked to follow the malicious link, they find themselves on a decoy website serving an alleged crypto game. Once the “Download Now” button is clicked, the malicious installer containing Babadeda crypter is downloaded and executed in the background. The installer then triggers the further infection stage to drop encrypted payloads of either Remcos or BitRAT.

Detecting Babadeda Crypter

To detect possible Babadeda infections and proactively defend against intrusions, security practitioners can download community Sigma rules available in the Threat Detection Marketplace repository powered by the SOC Prime platform. 

Babadeda Crypter Targets Cryptocurrency NFT and DeFi Platforms (via proxy)

This detection, written by our Threat Bounty developer Sittikorn Sangrattanapitak, has translations for the following SIEM & XDR platforms: Azure Sentinel, Splunk, ArcSight, Chronicle Security, ELK Stack, Sumo Logic, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetwWitness, Apache Kafka ksqlDB, Qualys, Open Distro, and Securonix.

The rule is aligned with the latest MITRE ATT&CK® framework v.10 addressing the Initial Access tactic and the Phishing (T1566) and Obfuscated Files or Information (T1027) techniques.

The BABADEDA Crypter Targets the Crypto, NFT, DeFi Communities

This detection, provided by our Threat Bounty developer Nattatorn Chuensangarun, has translations for the following SIEM & XDR platforms: Azure Sentinel, Splunk, ArcSight, Chronicle Security, ELK Stack, Sumo Logic, QRadar, Humio, Microsoft Defender ATP, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, RSA NetwWitness, Apache Kafka ksqlDB, Open Distro, and Securonix.

The rule is aligned with the latest MITRE ATT&CK® framework v.10 addressing the Defense Evasion tactic and the Process Injection (T1055) technique.

Searching for the best SOC content compatible with your SIEM, EDR, and NTDR solutions in use? Explore SOC Prime’s Detection as Code platform to address your custom use cases, boost threat discovery and threat hunting, and get a complete visualization of your team’s progress. Passionate about threat hunting and eager to contribute to the industry-first SOC content library? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.

Related Posts