Cryptocurrency companies are being targeted by a new malware called Parallax RAT. The malware "uses injection techniques to hide within legitimate processes, making it difficult to detect," Uptycs said in a new report. "Once it has been successfully injected, attackers can interact with their victim via Windows Notepad that likely serves as a communication channel." Parallax RAT grants attackers remote access to victim machines. It comes with features to upload and download files as well as record keystrokes and screen captures.
It has been put to use since early 2020 and was previously delivered via COVID-19-themed lures. The first payload is a Visual C++ malware that employs the process hollowing technique to inject Parallax RAT into a legitimate Windows component called pipanel.exe. Parallax RAT, besides gathering system metadata, is also capable of accessing data stored in the clipboard and even remotely rebooting or shutting down the compromised machine. One notable aspect of the attacks is the use of the Notepad utility to initiate conversations with the victims and instructing them to connect to an actor-controlled Telegram channel.
This new campaign is especially concerning because of how difficult the Parallax RAT is to detect. The malware uses injection techniques to hide within legitimate processes, making it difficult for even experienced users to spot. Once it has been successfully injected, attackers can interact with their victim via Windows Notepad that likely serves as a communication channel. This RAT is especially dangerous because it grants attackers remote access to victim machines. It comes with features to upload and download files as well as record keystrokes and screen captures. It has been put to use since early 2020 and was previously delivered via COVID-19-themed lures. If you think you may be a victim of this malware, be sure to reach out to a professional for help. In the meantime, stay vigilant and don't click on any links or attachments from sources you don't know and trust.