Cyber security researchers have shed light on a sophisticated phishing campaign that impersonates legitimate brands to distribute malware such as DanaBot and StealC.
Organized by Russian-speaking cybercriminals and codenamed Tusk, the cluster of activities is said to involve several sub-companies, using the platforms’ reputations to trick users into downloading malware using bogus websites and social media accounts.
“All active subcompanies host the initial bootloader on Dropbox,” Kaspersky researchers Elsayed Elrefai and AbdulRman Alfaifi said. “This bootloader is responsible for delivering additional malware samples to the victim’s machine, which are mainly information stealers (DanaBot and StealC) and clippers.”
Of the 19 subcompanies identified to date, three are active. The name “Tusk” is a reference to the word “Mammoth” used by threat actors in log messages related to the initial bootloader. It should be noted that mammoth is a slang term often used by Russian cybercriminal groups to refer to victims.
Companies are also known to use phishing tactics to trick victims into parting with personal and financial information, which is then sold on the dark web or used to gain unauthorized access to their gaming accounts and cryptocurrency wallets.
The first of the three sub-campaigns, known as TidyMe, mimics peerme(.)io with a similar site hosted on tidyme(.)io (as well as tidymeapp(.)io and tidyme(.)app) that requires a click to download malware for Windows and macOS, served with Dropbox.
The loader is an Electron program that, when launched, prompts the victim to enter a specified CAPTCHA, after which the main program interface is displayed, while two additional malicious files are secretly selected and executed in the background.
Both payloads are seen in the campaign Hijack bootloader artifacts that eventually launch a variant of the StealC malware with the ability to collect a wide range of information.
RuneOnlineWorld (“runeonlineworld(.)io”), a second sub-campaign, involves using a fake website simulating a massively multiplayer online game (MMO) called Rise Online World to distribute a similar downloader that opens the way for DanaBot and StealC on compromised hosts .
Also via Hijack Loader, this campaign distributes the Go-based Clipper malware, which is designed to monitor clipboard contents and replace victim-copied wallet addresses with an attacker-controlled Bitcoin wallet to execute fraudulent transactions.
Ends active campaigns by Voico, which embodies an artificial intelligence translator project called YOUS (yous(.)ai) with a malicious counterpart called voico(.)io to distribute a bootloader that, once installed, asks the victim to fill out a registration form containing their credentials and then logs the information to the console.
The final payloads exhibit the same behavior as in the second subcampaign, the only difference being that the StealC malware used in this case communicates with a different command and control server (C2).
“Companies (…) present a constant and evolving threat posed by cybercriminals who skillfully imitate legitimate designs to trick victims,” the researchers said. “The reliance on social engineering techniques such as phishing, combined with multi-stage malware delivery mechanisms, highlights the advanced capabilities of the threat actors involved.”
“By exploiting users’ trust in well-known platforms, these attackers are effectively deploying a range of malware designed to steal sensitive information, compromise systems, and ultimately reap financial benefits.”