A new malware campaign targeting individuals across the Middle East and North Africa has been uncovered. Active since September 2024, the campaign leverages a modified version of AsyncRAT to compromise victims’ systems.
How the Attack Works
Attackers masquerade as news outlets on social media, crafting deceptive promotional posts that direct users to file-sharing platforms or Telegram channels. These channels then distribute a malicious RAR archive, which, once opened, executes the modified AsyncRAT. The malware is designed to steal cryptocurrency wallet data and relay information back to the attackers via a Telegram bot. Investigations estimate that around 900 individuals have been affected, primarily everyday users.
Attackers Behind the Campaign
Security researchers have attributed the campaign to a threat group dubbed “Desert Dexter,” named after one of the suspected operators. Their tactics involve using temporary accounts and fake news pages on social media platforms, particularly Facebook, to bypass advertising filters and promote malicious content.
This technique is reminiscent of a 2019 campaign documented by Check Point, but the latest operation employs enhanced attack techniques to increase its effectiveness.
Technical Breakdown of the Attack
According to Denis Kuvshinov, Head of Threat Intelligence at PT ESC, the attack follows a multi-stage process:
- Victims are lured from a promotional post to a Telegram channel or file-sharing service pretending to be a media outlet.
- A RAR archive is provided, containing malicious files.
- Once executed, the modified AsyncRAT gathers system information and sends it to the attackers’ Telegram bot.
- This version of AsyncRAT includes a modified IdSender module, which extracts data from:
- Cryptocurrency wallet extensions
- Two-factor authentication extensions in browsers
- Software used to manage cryptocurrency wallets
Why This Campaign is Effective
While Desert Dexter’s malware tools are not highly advanced, their use of social media ads and legitimate services has made the attack highly successful. By spreading disinformation about leaked confidential data, the attackers create a lure that is effective for both regular users and high-ranking officials.
Recommendations
Users are advised to:
- Be cautious of social media links, avoid clicking any links you come across.
- Never download files from untrusted sources or file-sharing platforms.
- Protect Cryptocurrency and Financial Accounts Enable multi-factor authentication (MFA) using authentication apps, not SMS or email.
- Secure Telegram and Social Media Accounts, use two-factor authentication to avoid account hijacking.
For additional resources and updates on cybersecurity, please visit our X account @UgCERT.