Cybersecurity researchers have make clear a complicated data stealer marketing campaign that impersonates legit manufacturers to distribute malware like DanaBot and StealC.
The exercise cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is alleged to embody a number of sub-campaigns, leveraging the popularity of the platforms to trick customers into downloading the malware utilizing bogus websites and social media accounts.
“All of the lively sub-campaigns host the preliminary downloader on Dropbox,” Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi stated. “This downloader is answerable for delivering further malware samples to the sufferer’s machine, that are principally info-stealers (DanaBot and StealC) and clippers.”
Of the 19 sub-campaigns recognized up to now, three are stated to be at present lively. The title “Tusk” is a reference to the phrase “Mammoth” utilized by the risk actors in log messages related to the preliminary downloader. It is price noting that mammoth is a slang time period typically utilized by Russian e-crime teams to confer with victims.
The campaigns are additionally notable for using phishing techniques to deceive victims into parting with their private and monetary data, which is then offered on the darkish net or used to achieve unauthorized entry to their gaming accounts and cryptocurrency wallets.
The primary of the three sub-campaigns, often called TidyMe, mimics peerme[.]io with a lookalike web site hosted on tidyme[.]io (in addition to tidymeapp[.]io and tidyme[.]app) that solicits a click on to obtain a computer virus for each Home windows and macOS techniques. The executable is served from Dropbox.
The downloader is an Electron utility that, when launched, prompts the sufferer to enter the CAPTCHA displayed, after which the principle utility interface is displayed, whereas two further malicious recordsdata are covertly fetched and executed within the background.
Each the payloads noticed within the marketing campaign are Hijack Loader artifacts, which finally launch a variant of the StealC stealer malware with capabilities to reap a variety of knowledge.
RuneOnlineWorld (“runeonlineworld[.]io”), the second sub-campaign, includes using a bogus web site simulating a massively multiplayer on-line (MMO) recreation named Rise On-line World to distribute an identical downloader that paves the best way for DanaBot and StealC on compromised hosts.
Additionally distributed through Hijack Loader on this marketing campaign is a Go-based clipper malware that is designed to watch clipboard content material and substitute pockets addresses copied by the sufferer with an attacker-controlled Bitcoin pockets to carry out fraudulent transactions.
Rounding off the lively campaigns is Voico, which impersonates an AI translator challenge known as YOUS (yous[.]ai) with a malicious counterpart dubbed voico[.]io so as to disseminate an preliminary downloader that, upon set up, asks the sufferer to fill out a registration kind containing their credentials after which logs the data on the console.
The ultimate payloads exhibit related conduct as that of the second sub-campaign, the one distinction being the StealC malware used on this case communicates with a unique command-and-control (C2) server.
“The campaigns […] reveal the persistent and evolving risk posed by cybercriminals who’re adept at mimicking legit tasks to deceive victims,” the researchers stated. “The reliance on social engineering methods reminiscent of phishing, coupled with multistage malware supply mechanisms, highlights the superior capabilities of the risk actors concerned.”
“By exploiting the belief customers place in well-known platforms, these attackers successfully deploy a variety of malware designed to steal delicate data, compromise techniques, and finally obtain monetary acquire.”