Cybersecurity researchers have warned of a new scam that uses fake video conferencing software to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings.
“The threat actors behind the malware have created fake campaigns that use artificial intelligence to boost their legitimacy,” Cado Security researcher Tara Gould said. “The company is reaching out to properties to set up a video call by asking the user to download a meeting app from a website that is a Realst Infostealer.”
The security company codenamed the activity Meeten due to the use of names such as Clusee, Cuesee, Meeten, Meetone and Meetio for fake sites.
The attacks involve approaching potential targets on Telegram to discuss a potential investment opportunity, inviting them to join a video call hosted on one of the dubious platforms. Users who land on the site are prompted to download the Windows or macOS version, depending on the operating system they are using.
Once installed and running on macOS, users are greeted with a message stating that “the current version of the program is not fully compatible with your version of macOS” and that they need to enter their system password for the program to work properly.
This is achieved using the osascript method that was accepted by several families of macOS stealers such as Atomic macOS Stealer, Cuckoo, MacStealer, Banshee Stealer and Cthulhu Stealer. The ultimate goal of the attack is to steal various types of sensitive data, including from cryptocurrency wallets, and export it to a remote server.
The malware is also capable of stealing Telegram credentials, banking information, iCloud Keychain data, and cookies from Google Chrome, Microsoft Edge, Opera, Brave, Arc, Cốc Cốc, and Vivaldi browsers.
The Windows version of the Nullsoft Scriptable Installer System (NSIS) file signed with a possibly stolen legal signature from Brys Software Ltd. Embedded in the installer is an Electron application that is configured to retrieve the steal executable, a Rust-based binary, from a domain controlled by the attacker.
“Threat actors are increasingly using artificial intelligence to create content for their companies,” Gould said. “The use of artificial intelligence allows threat actors to quickly create realistic website content that adds legitimacy to their scams and makes it harder to detect suspicious websites.”
This isn’t the first time fake meeting software brands have been used to spread malware. Earlier in March of this year, Jamf Threat Labs revealed that it discovered a fake website called meethub(.)gg to distribute malware-stealing software that matches Realst.
Then Recorded Future in June in detail a company called markopolo that targeted cryptocurrency users with fake virtual meeting software to drain their wallets with steals like Rhadamanthys, Stealc, and Atomic.
Development occurs as a threat to actors for The Banshee Kidnapper macOS malware to stop its activities after leaking their source code. It is still unclear what caused the leak. The malware was advertised on cybercrime forums for a $3,000 monthly subscription fee.
It also follows the emergence of new families of malicious programs such as Unstable hijacker, Thief of wishes, Hexon Stealerand Sky thiefeven as users and companies looking for pirated software and AI tools are targeted by RedLine Stealer and Poseidon’s kidnapperrespectively.
“The attackers behind this campaign are clearly interested in gaining access to organizations of Russian-speaking entrepreneurs who use software to automate business processes,” Kaspersky said. said of the RedLine Stealer Company.
