Clever macOS malware delivery campaign targets cryptocurrency users
Cryptocurrency users are being targeted with legitimate-looking but fake apps that deliver information-stealing malware instead, Recorded Future’s researchers are warning.
The threat actor behind this complex scheme is going after both Windows and Mac users, and leverages social media and messaging platforms to trick them into installing the apps, i.e., the malware.
How cryptocurrency users get tricked into downloading the malware
Vortax – supposedly in-browser virtual meeting software – looks like a legitimate app at first glance:
- It has a website indexed by major search engines and an associated Medium blog with suspected AI-generated articles
- The website provides a physical address for the company and contains claims about Fortune 500 companies as customers and awards received from tech publications
- It has a “verified” X account, as well as Telegram and Discord accounts
After asking a direct question or while engaging in discussions on cryptocurrency-themed channels, potential targets are instructed by Vortax accounts to visit the site, click on the “Try Vortax for free” button, and enter the provided Room ID to be able to download the application.
The Vortax download prompt (Source: Recorded Future)
“All of the Room IDs, when entered into the Vortax website, redirect the user to a Dropbox link (Windows) or external website (plumbonwater[.]com) (macOS) that downloads the Vortax installer,” the researchers explained.
“Behavioral analysis of the Vortax installers on Windows and macOS indicates that Vortax App Setup.exe and VortaxSetup.dmg deliver Rhadamanthys and Stealc, or [Atomic Stealer, aka AMOS], respectively.”
If downloaded and launched, the Vortax app does not seem to work because of errors (e.g., a missing C++ driver). In the background, though, malicious processes are underway and information theft can start.
“Further investigation of the Vortax staging domain plumbonwater[.]com revealed 23 additional domains hosted on the same IP address (79.137.197.159),” the analysts noted, and said that each of these domains hosts a malicious application that delivers AMOS.
“Investigation into these malicious applications unearthed additional scams — similar to Vortax (…) — that masquerade as legitimate companies and leverage social media and messaging platforms to target cryptocurrency users. These scams, such as VDeck and Mindspeak, share crossover with the Vortax brand and are likely operated by the same threat actor — [AMOS UserID] markopolo.”
What to do?
The researchers posit that this and a previously documented campaign by the same threat actor may serve as a model for future ones and result in Atomic Stealer being spread more widely.
They also posit that markopolo could be an initial access broker or “log vendor” on a dark web shop.
They have shared a list of the malicious applications, domains, as well as file hashes, and advise organizations to put in place detections and regularly update malware signatures, and consider using security controls to prevent the download of unsanctioned software.
Users should be careful when downloading third-party software and keep abreast of the latest tricks employed by cyber crooks.