News
Clever macOS malware distribution campaign targets cryptocurrency users
Cryptocurrency users are being targeted with seemingly legitimate but fake apps that instead deliver information-stealing malware, researchers at Recorded Future warn.
The threat actor behind this complex scheme stalks both Windows and Mac users and exploits social media and messaging platforms to trick them into installing the apps aka malware.
How cryptocurrency users are tricked into downloading malware
Vortax, supposedly a browser-integrated virtual meeting software, seems like a legitimate app at first glance:
- It has a website indexed by major search engines and an associated Medium blog with suspicious AI-generated articles
- The website provides a physical address for the company and contains claims about Fortune 500 companies as customers and awards received from technology publications
- He has a “verified” X account, as well as Telegram and Discord accounts
After asking a direct question or while engaging in discussions on cryptocurrency-themed channels, potential targets are instructed by Vortax accounts to visit the site, click the “Try Vortax for Free” button, and enter the provided Room ID in order to download the application.
The Vortax download request (Source: Recorded Future)
“All camera IDs, when entered into the Vortax website, redirect the user to a Dropbox link (Windows) or an external website (plumbonwater[.]com) (macOS) which downloads the Vortax installer,” the researchers explained.
“Behavioral analysis of Vortax installers on Windows and macOS indicates that Vortax App Setup.exe and VortaxSetup.dmg provide Rhadamanthys AND StealOR [Atomic Stealer, aka AMOS]respectively.”
When downloaded and launched, the Vortax app appears to not work due to errors (for example, a missing C++ driver). However, malicious processes are taking place in the background and information theft can begin.
«Further investigations into the Vortax plumbonwater staging domain[.]com revealed 23 additional domains hosted on the same IP address (79.137.197.159),” analysts noted, saying that each of these domains hosts a malicious application that delivers AMOS.
“Investigations into these malicious applications have uncovered additional scams – similar to Vortax (…) – that masquerade as legitimate companies and exploit social media and messaging platforms to target cryptocurrency users. These scams, like VDeck and Mindspeak, share crossover with the Vortax brand and are likely operated by the same threat actor: [AMOS UserID] Markopolo.”
What to do?
The researchers hypothesize that this campaign, along with a previously documented campaign by the same threat actor, could serve as a model for future ones and lead to a wider spread of Atomic Stealer.
They also assume that markopolo could be an initial access broker or a “log seller” on a dark web store.
They have shared a list of malicious applications, domains and file hashes and advises organizations to regularly detect and update malware signatures and to consider using security controls to prevent the download of unauthorized software.
Users should be careful when downloading third party software and keep abreast of the latest tricks used by cyber criminals.