Windows, macOS users targeted with crypto-and-info-stealing malware
Downloading anything from the internet is a gamble these days: you might think that you are downloading an innocuous app from a legitimate firm but thanks to clever misuse of AI and some social engineering, you can end up with information and cryptocurrency-stealing malware.
Case in point: Cado Security Labs researchers have recently reported websites set up to impersonate companies offering a video conferencing app, but serving/pushing the Realst info-stealer.
Preparing and executing the scam
To start, the crooks create websites with the help of AI tools, to create the illusion of the websites belonging to legitimate companies. They also set up accounts on Twitter and Medium, for good measure.
After setting the stage, the crooks reach out to the targets.
In one reported instance, a user was contacted via Telegram by an acquaintance – or so they thougth. The Telegram account was created to impersonate a contact of the target, Cado researchers said, and the scammer even sent an investment presentation from the target’s company to the target.
Other users report being on calls related to Web3 work and being instructed to download the software.
The domains for the websites and the app offered for download use variations of the word Meeten.
The download page of the Meeten website (Source: Cado Security Lab)
“The company regularly changes names, has also gone by Clusee[.]com, Cuesee, Meeten[.]gg, Meeten[.]us, Meetone[.]gg and is currently going by the name Meetio,” the researchers shared.
In addition to hosting information stealers, the Meeten websites also contain code to steal cryptocurrency even before the fake video app is installed.
“Cryptocurrency is stored in wallets which can take many forms. On one end you have hardware wallets which are standalone devices which store cryptocurrency keys separate to a computer. Another type of wallet is a web browser extension which could be attacked via JavaScript in a malicious website,” Paul Scott, Solutions Engineer at Cado Security told Help Net Security.
“If a user has their wallet unlocked in their browser and visit a malicious website, the JavaScript on the site automatically checks if there are unlocked wallets present and will attempt to transfer cryptocoins to a wallet the attacker controls.”
This particular campaign seems to be aimed at persons working with Web3 technologies (e.g., blockchain), and has been active approximately four months.
The malware
Tha fake apps are actually macOS and Windows variants of the Realst infostealer, which was first discovered in 2023 by security researcher iamdeadlyz.
The malware looks to steal Telegram credentials; keychain credentials; browser cookies and credentials stored in Chrome, Opera, Brave, Edge, Arc, CocCoc and Vivaldi browsers; Ledger, Trezor, Phantom and Binance wallets; and banking card details.
Whether Realst is commodity malware or custom-made by a specific threat actor is currently impossible to say.
“During our research we didn’t find any evidence of it being sold on marketplaces,” Tara Gould, Threat Research Lead at Cado Security, told Help Net Security.
“Being that the majority of stealers, and in particular crypto stealers, tend to be commodity, it may be more likely than custom – but we cannot say for sure at the moment.”
A definitive attribution of the campaign is also impossible at the moment. “The targeting of macOS and cryptocurrency, along with the fake company, are in line with the tactics, techniques, and procedures (TTPs) of North Korean hackers, however this alone is not enough to make a determination,” Gould said. “There is also the likely possibility of the campaign being conducted by cybercriminals as opposed to an APT group.”
The websites serving the malware have since been taken down, but the researchers advise users to be careful when being approached about business opportunities, especially through Telegram: “Even if the contact appears to be an existing contact, it is important to verify the account and always be diligent when opening links.”