New Malware Targets MENA Region, Steals Cryptocurrency Data

Threat Intelligence specialists at Positive Technologies Expert Security Center (PT ESC) have uncovered a new malware campaign actively targeting individuals in the Middle East and North Africa (MENA) region. Since September 2024, attackers have been using a modified version of AsyncRAT to steal sensitive data, particularly focusing on cryptocurrency wallet information. The campaign is distributed through social media ads, with attackers posing as news outlets to lure victims to malicious file-sharing platforms or Telegram channels.

The malware is designed to harvest cryptocurrency wallet data and send it to a Telegram bot operated by the attackers. PT ESC’s investigation revealed approximately 900 potential victims, with most affected individuals being regular users from industries including oil and gas, construction, IT, and agriculture. Victims are primarily located in Libya (49%), Saudi Arabia (17%), Egypt (10%), Turkey (9%), UAE (7%), and Qatar (5%).

The group behind the campaign has been named Desert Dexter, a reference to one of the suspected operators. During the investigation, researchers discovered the attackers were using temporary accounts and fake news channels on Facebook to bypass ad filters and spread their malicious posts. Although a similar campaign was documented in 2019, the current operation introduces new techniques to make the malware more effective.

Denis Kuvshinov, Head of Threat Intelligence at Positive Technologies, explained that the attack follows a multi-stage process, beginning with victims being lured to file-sharing services or Telegram channels, where they unknowingly download a RAR archive containing malicious files. These files install AsyncRAT, collect system information, and send the data to a Telegram bot controlled by the attackers. The modified AsyncRAT includes an updated IdSender module, which specifically targets cryptocurrency wallet extensions, two-factor authentication extensions, and software used to manage cryptocurrency wallets.

While the tools used by Desert Dexter are not particularly sophisticated, their use of social media ads and legitimate services has made the campaign effective. The attackers exploit geopolitical tensions in the MENA region, targeting both individual users and high-ranking officials. Researchers have noted that the region remains a prime target for cyberattacks due to ongoing political instability, with phishing campaigns increasingly using political themes to lure victims.