Cryptocurrency users are the target of ongoing social engineering campaigns that employ fake startups to download malware that can consume digital assets from both Windows and MacOS systems.
“These malicious operations have been made using AI, gaming and web3 companies with Spoofed Social Media accounts and project documents hosted on legitimate platforms such as concepts and Github,” Darktrace researcher Tara Gould said in a report shared with Hacker News.
For some time, the elaborate social media scam took advantage of the Bogus VideoConferencing platform in a previous iteration in December 2024 to dupe victims and approach them with messaging apps like Telegram before joining the meeting under the pretext of discussing investment opportunities.
Ultimately, users who ended up downloading Meeting Meeting Software were secretly infected with Stealer Malware, such as Realst. The campaign was codenamed Meeten by Cado Security (acquired by Darktrace earlier this year) in connection with one of the fake video conferencing services.
That said, when JAMF Threat Labs discloses the use of a domain named Meethub, there are indications that activity may be ongoing since at least March 2024.[.]GG “Provides Real St.
Darktrace’s latest findings show that the campaign remains a proactive threat, but also employs a wide range of themes related to artificial intelligence, gaming, Web3 and social media.
Furthermore, it has been observed that attackers are leveraging X accounts that leverage compromised X accounts related to businesses and employees to approach future targets and give false companies an illusion of legitimacy.
“They use sites that are frequently used by software companies such as X, Medium, GitHub, and Concepts,” Gould says. “Each company has a professional website that includes employees, product blogs, white papers and roadmap.”
One such non-existent company is Eternal Decay (@Metaversedecay). It claims to be a blockchain-powered game, giving the impression that it shares a legally modified version in X and presents it at various meetings. The ultimate goal is to create an online presence that makes these companies look as realistic as possible and improves the likelihood of infection.
Below is a list of some of the other identified companies –
beesync (x account: @beesync, @aibeesync) buzzu (x account: @buzzapp, @ai_buzzu, @appbuzzup, @buzzapp) cloudsign (x account: @cloudsignapp) dexis (x account: @dexisapp) klastai (x account: x account: x account: X account: X account: X account: X account @nexloopspace) nexoracore nexvoo (x account: @nexvoospace) pollen (x account: @pollensapp, @pollens_app) slax (x account: @slaxapp, @slax_app, @slaxproject) solune (x account: @soluneapp) swox_app, @swox_app, @swox @App_Swox, @AppSwox, @SwoxProject, @ProjectSwox) WASPER (X account: @wasperai, @wasperspace) yondaai (x account: @yondaspace)
The attack chain begins when any of these hostile accounts send a message to the victim via X, telegram, or inconsistency, prompts them to test their software in exchange for cryptocurrency payments.
If the target agrees to the test, they will be redirected to a fictitious website that they have promoted to enter the registration code provided by the employee to download either the Windows Electron application or the Apple Disk Image (DMG) file, depending on the operating system they use.
In Windows Systems, when you open a malicious application, the victim will see a CloudFlare verification screen, profile your machine badly, download and run the MSI installer. The exact nature of the payload is unknown, but it is believed that information stolen items will be carried out at this stage.
Meanwhile, attacks on the MacOS version lead to the deployment of Atomic Macos Stealer (AMOS), an Infostealer malware that sucks up siphon documents and excludes details to external servers, as well as data from web browsers and crypto wallets.
The DMG binary is equipped to automatically launch the app upon user login to get a shell script responsible for setting up persistence on your system using the launch agent. The script also records application usage and user interaction timestamps, and retrieves and executes the Objective-C/Swift binaries that are sent to the remote server.
Darktrace also said the campaign shares tactical similarities with people organized by a traffic group called Crazy Evil, known for dupeing victims to install malware such as StealC, Amos and Angel Drainer.
“The campaign is unknown […] Gould said the techniques described are essentially similar, as they could be attributed to CrazyEvil or any subteam. The campaign highlights efforts by threat actors to make these fake companies look legal to steal cryptocurrency from victims.
Source link
