New Malware ‘Desert Dexter’ Hits Over 900 Victims Worldwide

A newly discovered malicious campaign dubbed “Desert Dexter” has infected approximately 900 victims across multiple countries, primarily in the Middle East and North Africa.

The Positive Technologies Expert Security Center (PT ESC) uncovered the operation, which has been active since September 2024.

The threat actors behind Desert Dexter employ a multi-stage attack chain that leverages social media platforms, legitimate file-sharing services, and geopolitical lures to distribute a modified version of the AsyncRAT malware.

The campaign’s sophistication lies in its use of Facebook* advertisements and Telegram channels masquerading as reputable news agencies to disseminate malicious content.

Innovative Tactics and Technical Details

The initial infection vector involves enticing victims to download RAR archives containing malicious scripts from either files.fm or specially created Telegram channels.

These scripts, written in various languages including JavaScript, batch, and PowerShell, work in concert to execute the final payload a customized AsyncRAT variant.

This modified AsyncRAT incorporates several notable features:

1. A custom reflective loader written in C# for injecting the malware into legitimate Windows processes.
2. An offline keylogger that logs keystrokes and active process names to a temporary file.
3. An enhanced IdSender module capable of detecting cryptocurrency wallet extensions and applications.

The malware establishes persistence by manipulating Windows registry run keys and employs DDNS domains resolving to VPN service IP addresses for command and control communication.

Geopolitical Context and Victim Profile

According tot the Report, Desert Dexter’s campaign exploits the volatile political climate in the targeted regions, using alleged leaks of confidential data as bait.

The majority of victims appear to be ordinary users, though some infections have been detected in critical sectors such as oil production, construction, and information technology.

The threat actors’ focus on cryptocurrency-related data suggests financial motivation, although the true extent of their objectives remains unclear.

As geopolitical tensions continue to fuel cyber operations in the Middle East and North Africa, Desert Dexter serves as a stark reminder of the evolving threat landscape in these regions.

Security researchers continue to monitor Desert Dexter’s activities, emphasizing the need for heightened cybersecurity awareness and robust defense measures against such sophisticated social engineering tactics and malware deployment strategies.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free