Researchers at cybersecurity firm Darktrace warn threat actors will use increasingly sophisticated social engineering tactics to infect victims with crypto-stealing malware.
In its latest blog, Darktrace researchers detailed an elaborate campaign that turns out to be a startup in AI, games and Web3 to trick users into downloading malicious software.
This scheme relies on validated and compromised X accounts, similar to project documents hosted on legitimate platforms, to create an illusion of legitimacy.
The report says the campaign usually starts with an impersonator reaching out to potential victims of X, telegrams, or Discord. They pose as representatives of emerging startups and provide incentives such as cryptocurrency payments in exchange for software.
Victims are directed at sophisticated companies websites designed to mimic legitimate startups with white papers, roadmaps, GitHub entries, and even fake merchandise stores.
You might like it too: North Korean hackers target macO with their latest malware campaign targeting crypto companies
When the target downloads a malicious application, the CloudFlare verification screen appears, during which the malware quietly collects system information such as CPU details, Mac address, and user ID. This information, along with the Captcha token, is sent to the attacker’s server to determine whether the system is a viable target.
If the verification is successful, a second stage payload, which is usually an information steeler, is delivered to stealth to extract sensitive data containing cryptocurrency wallet credentials.
Both Windows and MacOS versions of malware have been detected, and some Windows variations are known to use code signing certificates stolen from legitimate companies.
According to Darktrace, the campaign is similar to the tactics used by the “traffic people” group. This is a cybercrime network that specializes in generating malware installations through incorrect content and social media manipulation.
Threat actors remain unknown, but researchers believe the methods used are consistent with those seen in campaigns seen in CrazyEvil-induced campaigns known to target crypto-related communities.
“Crazyville and its sub-teams have created fake software companies and used target victims from Twitter and Medium, similar to those mentioned in this blog,” Darktrace wrote, adding that the group is “estimated to have made millions of dollars in revenue from malicious activities.”
Repeated threats
Similar malware campaigns have been detected on multiple occasions throughout the year, with one North Korea-related operation using fake zoom updates to compromise Crypto companies’ MacOS devices.
The attacker reportedly had deployed a new malware stock called “Nimdoor,” which was delivered through a malicious SDK update. Multi-stage payloads are designed to extract wallet credentials, browser data, and encrypted telegram files while maintaining system persistence.
Another example shows that the infamous North Korean hacking group Lazaro posted its stance as a recruiter targeting unsuspecting experts using a new malware stock called “OtterCookies” that was deployed during a fake interview session.
Earlier this year, another study by blockchain forensics company Markle Science found that social engineering scams target celebrities and technology leaders through hacked X accounts.
read more: Kaspersky flags new crypto malware targeting screenshots of seed phrases
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
