Cybersecurity researchers have make clear a classy info stealer marketing campaign that impersonates official manufacturers to distribute malware like DanaBot and StealC.
The exercise cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is claimed to embody a number of sub-campaigns, leveraging the status of the platforms to trick customers into downloading the malware utilizing bogus websites and social media accounts.
“All of the lively sub-campaigns host the preliminary downloader on Dropbox,” Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi mentioned. “This downloader is chargeable for delivering extra malware samples to the sufferer’s machine, that are principally info-stealers (DanaBot and StealC) and clippers.”
Of the 19 sub-campaigns recognized so far, three are mentioned to be presently lively. The identify “Tusk” is a reference to the phrase “Mammoth” utilized by the menace actors in log messages related to the preliminary downloader. It is price noting that mammoth is a slang time period typically utilized by Russian e-crime teams to consult with victims.
The campaigns are additionally notable for using phishing ways to deceive victims into parting with their private and monetary info, which is then offered on the darkish net or used to realize unauthorized entry to their gaming accounts and cryptocurrency wallets.
The primary of the three sub-campaigns, referred to as TidyMe, mimics peerme[.]io with a lookalike web site hosted on tidyme[.]io (in addition to tidymeapp[.]io and tidyme[.]app) that solicits a click on to obtain a bug for each Home windows and macOS methods. The executable is served from Dropbox.
The downloader is an Electron software that, when launched, prompts the sufferer to enter the CAPTCHA displayed, after which the principle software interface is displayed, whereas two extra malicious recordsdata are covertly fetched and executed within the background.
Each the payloads noticed within the marketing campaign are Hijack Loader artifacts, which in the end launch a variant of the StealC stealer malware with capabilities to reap a variety of knowledge.
RuneOnlineWorld (“runeonlineworld[.]io”), the second sub-campaign, includes using a bogus web site simulating a massively multiplayer on-line (MMO) recreation named Rise On-line World to distribute the same downloader that paves the best way for DanaBot and StealC on compromised hosts.
Additionally distributed by way of Hijack Loader on this marketing campaign is a Go-based clipper malware that is designed to observe clipboard content material and substitute pockets addresses copied by the sufferer with an attacker-controlled Bitcoin pockets to carry out fraudulent transactions.
Rounding off the lively campaigns is Voico, which impersonates an AI translator challenge referred to as YOUS (yous[.]ai) with a malicious counterpart dubbed voico[.]io so as to disseminate an preliminary downloader that, upon set up, asks the sufferer to fill out a registration type containing their credentials after which logs the data on the console.
The ultimate payloads exhibit related conduct as that of the second sub-campaign, the one distinction being the StealC malware used on this case communicates with a unique command-and-control (C2) server.
“The campaigns […] reveal the persistent and evolving menace posed by cybercriminals who’re adept at mimicking official tasks to deceive victims,” the researchers mentioned. “The reliance on social engineering strategies akin to phishing, coupled with multistage malware supply mechanisms, highlights the superior capabilities of the menace actors concerned.”
“By exploiting the belief customers place in well-known platforms, these attackers successfully deploy a spread of malware designed to steal delicate info, compromise methods, and in the end obtain monetary acquire.”