Cybersecurity researchers have make clear a classy info stealer marketing campaign that impersonates reputable manufacturers to distribute malware like DanaBot and StealC.
The exercise cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is claimed to embody a number of sub-campaigns, leveraging the repute of the platforms to trick customers into downloading the malware utilizing bogus websites and social media accounts.
“All the active sub-campaigns host the initial downloader on Dropbox,” Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi mentioned. “This downloader is responsible for delivering additional malware samples to the victim’s machine, which are mostly info-stealers (DanaBot and StealC) and clippers.”
Of the 19 sub-campaigns recognized to this point, three are mentioned to be presently energetic. The title “Tusk” is a reference to the phrase “Mammoth” utilized by the risk actors in log messages related to the preliminary downloader. It is price noting that mammoth is a slang time period usually utilized by Russian e-crime teams to seek advice from victims.
The campaigns are additionally notable for using phishing techniques to deceive victims into parting with their private and monetary info, which is then bought on the darkish net or used to achieve unauthorized entry to their gaming accounts and cryptocurrency wallets.
The primary of the three sub-campaigns, referred to as TidyMe, mimics peerme[.]io with a lookalike website hosted on tidyme[.]io (in addition to tidymeapp[.]io and tidyme[.]app) that solicits a click on to obtain a computer virus for each Home windows and macOS programs that is served from Dropbox.
The downloader is an Electron software that, when launched, prompts the sufferer to enter the CAPTCHA displayed, after which the principle software interface is displayed, whereas two extra malicious information are covertly fetched and executed within the background.
Each the payloads noticed within the marketing campaign are Hijack Loader artifacts, which finally launch a variant of the StealC stealer malware with capabilities to reap a variety of knowledge.
RuneOnlineWorld (“runeonlineworld[.]io”), the second sub-campaign, includes the usage of a bogus web site simulating a massively multiplayer on-line (MMO) recreation named Rise On-line World to distribute an identical downloader that paves the best way for DanaBot and StealC on compromised hosts.
Additionally distributed through Hijack Loader on this marketing campaign is a Go-based clipper malware that is designed to observe clipboard content material and substitute pockets addresses copied by the sufferer with an attacker-controlled Bitcoin pockets to carry out fraudulent transactions.
Rounding off the energetic campaigns is Voico, which impersonates an AI translator mission known as YOUS (yous[.]ai) with a malicious counterpart dubbed voico[.]io in an effort to disseminate an preliminary downloader that, upon set up, asks the sufferer to fill out a registration kind containing their credentials after which logs the data on the console.
The ultimate payloads exhibit related habits as that of the second sub-campaign, the one distinction being the StealC malware used on this case communicates with a unique command-and-control (C2) server.
“The campaigns […] demonstrate the persistent and evolving threat posed by cybercriminals who are adept at mimicking legitimate projects to deceive victims,” the researchers mentioned. “The reliance on social engineering techniques such as phishing, coupled with multistage malware delivery mechanisms, highlights the advanced capabilities of the threat actors involved.”
“By exploiting the trust users place in well-known platforms, these attackers effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately achieve financial gain.”
