August 16, 2024Ravie LakshmananMalware / Data Theft

Cybersecurity researchers have discovered a sophisticated campaign that steals information and impersonates legitimate brands to spread malware such as DanaBot and StealC.

The cluster of activities, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is believed to involve several sub-campaigns. These campaigns abuse the platforms’ reputations to lure users into downloading the malware via fake sites and social media accounts.

“All active subcampaigns host the initial downloader on Dropbox,” Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi said. “This downloader is responsible for delivering additional malware samples to the victim’s machine, which are mainly info-stealers (DanaBot and StealC) and clippers.”

Of the 19 sub-campaigns identified so far, three are said to be currently active. The name “Tusk” is a reference to the word “Mammoth” used by the threat actors in log messages associated with the original downloader. It is worth noting that mammoth is a slang term often used by Russian e-crime groups to refer to victims.

What’s notable about these campaigns is that they use phishing tactics to trick victims into giving up their personal and financial information, which is then sold on the dark web or used to gain unauthorized access to their gaming accounts and cryptocurrency wallets.

The first of the three sub-campaigns, known as TidyMe, imitates peerme(.)io with a similar site hosted on tidyme(.)io (and tidymeapp(.)io and tidyme(.)app) that asks for clicks to download a malicious program for both Windows and macOS systems served via Dropbox.

The downloader is an Electron application that, when launched, asks the victim to enter the CAPTCHA that is displayed. After that, the main interface of the application is displayed, while two additional malicious files are secretly fetched and executed in the background.

Both payloads observed in the campaign are Hijack Loader artifacts, which ultimately launch a variant of the StealC stealer malware capable of collecting a wide range of information.

RuneOnlineWorld (“runeonlineworld(.)io”), the second sub-campaign, uses a fake website simulating a massively multiplayer online (MMO) game called Rise Online World to distribute a similar downloader that paves the way for DanaBot and StealC on compromised hosts.

A Go-based clipper malware is also being distributed in this campaign via Hijack Loader. This malware is designed to monitor the contents of the clipboard and replace wallet addresses copied by the victim with an attacker-controlled Bitcoin wallet in order to perform fraudulent transactions.

The active campaigns are rounded out by Voico, which imitates an AI translation project called YOUS (yous(.)ai) with a malicious counterpart called voico(.)io to distribute an initial downloader that, once installed, asks the victim to fill out a registration form with their login credentials and then records that information on the console.

The final payloads exhibit similar behavior to the second subcampaign. The only difference is that the StealC malware used in this case communicates with a different command-and-control (C2) server.

“The campaigns (…) demonstrate the persistent and evolving threat posed by cybercriminals adept at mimicking legitimate projects to deceive victims,” ​​the researchers said. “The reliance on social engineering techniques such as phishing, coupled with multi-stage malware delivery mechanisms, highlights the sophistication of the threat actors involved.”

“By abusing the trust users place in well-known platforms, these attackers can effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately make financial gain.”