Markopolo scam targets crypto users via fake meeting software

June 19, 2024NewsroomCybercrime/Cryptocurrency

A menacing actor who passes himself off under a pseudonym Markopolo has been identified as being responsible for a large-scale cross-platform scam targeting digital currency users on social media with information-stealing malware and committing cryptocurrency thefts.

The attack chains involve the use of a purported virtual meeting software called Vortax (and 23 other apps) used as a conduit to deliver Rhadamanthys, StealCAND The atomic thief of macOS (AMOS), Recorded Future’s Insikt Group said in an analysis published this week.

“This campaign, primarily targeting cryptocurrency users, marks a significant increase in macOS security threats and reveals a vast network of malicious applications,” the cybersecurity firm said. noticeddescribing Markopolo as “agile, adaptable and versatile”.

There is evidence linking the Vortax campaign to previous activity which he leveraged trap phishing techniques to target macOS and Windows users via Web3 game baits.

A crucial aspect of the malicious operation is the attempt to legitimize Vortax on social media and the Internet, with the authors maintaining a dedicated Medium blog full of suspicious AI-generated articles, as well as a verified account on a golden check mark.

Downloading the explosive application requires victims to provide a RoomID, a unique identifier for a meeting invitation that is propagated via Vortax account replies, direct messages, and cryptocurrency-related Discord and Telegram channels.

Once a user enters the necessary room ID on the Vortax website, they are redirected to a Dropbox link or an external website that arranges a software installer, which ultimately leads to the distribution of the stealer malware.

“The threat actor running this campaign, identified as markopolo, leverages shared hosting and C2 infrastructure for all builds,” Recorded Future said.

“This suggests that the threat actor is relying on convenience to enable an agile campaign, quickly abandoning scams once detected or producing diminishing returns and targeting new lures.”

The findings show that the pervasive threat of infostealer malware cannot be overlooked, especially in light of the recent campaign targeting Snowflake.

The development comes as Enea revealed SMS scammers’ abuse of cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2 and IBM Cloud Object Storage to trick users into clicking on fake links that take them to pages phishing targets that steal customer data.

“Cybercriminals have now found a way to exploit the capabilities provided by cloud storage to host static websites (typically .HTML files) containing spam URLs embedded in their source code,” said security researcher Manoj Kumar She said.

“The URL linking to the cloud storage is distributed via text messages, which appear authentic and can therefore bypass firewall restrictions. When mobile users click on these links, which contain known domains of the cloud platform, they are directed to the site static web stored in storage bucket.”

In the final stage, the website automatically redirects users to embedded spam URLs or dynamically generated URLs using JavaScript and tricks them into providing personal and financial information.

“Since the root domain of the URL contains, for example, the authentic URL/domain of Google Cloud Storage, it is difficult to detect it through normal URL crawling,” Kumar said. “Detecting and blocking URLs of this type presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies.”

Did you find this article interesting? Follow us on Twitter  AND LinkedIn to read the most exclusive content we publish.


Fuente