urlscan.io logo urlscan.io
SecurityTrails logo

www.helpnetsecurity.com Open in urlscan Pro
52.38.211.32  Public Scan

Back to summary
URL: https://www.helpnetsecurity.com/2024/12/06/information-cryptocurrency-stealing-malware-windows-macos/
Submission Tags: @nominet_threat_intel rnt-string-2nd reference_article_link confidence_medium cluster_58520661 Search All
Submission: On December 07 via api from GB — Scanned from GB

Form analysis 2 forms found in the DOM

POST 

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-298002 mc4wp-ajax" method="post" data-id="298002" data-name="Breaking news">
  <div class="mc4wp-form-fields"><img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
    <img decoding="async" src="https://img2.helpnetsecurity.com/posts2024/newsletter_ad-550x98px_5.webp" class="aligncenter" alt="OPIS" title="OPIS">
    <br>
    <label>
      <input type="email" name="EMAIL" size="35" placeholder="Please enter your e-mail address" required="">
    </label> <input type="submit" value="Subscribe">
    <p></p>
    <p>
      <label>
        <input type="checkbox" name="AGREE_TO_TERMS" value="1" required=""> I have read and agree to the <a href="https://www.helpnetsecurity.com/privacy-policy/#personalized" target="_blank" rel="noopener">terms &amp; conditions</a>
      </label>
      <img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
    </p>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1733594070"><input type="hidden" name="_mc4wp_form_id" value="298002"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

POST 

<form id="mc4wp-form-2" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - editor's choice selection of topics (twice per month)</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1733594070"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-2">
  <div class="mc4wp-response"></div>
</form>

Text Content


Help Net Security newsletters: Daily and weekly news, cybersecurity jobs, open
source – subscribe here!



 * News
 * Features
 * Expert analysis
 * Videos
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 


Please turn on your JavaScript for this page to function normally.
Zeljka Zorz, Editor-in-Chief, Help Net Security
December 6, 2024
Share


WINDOWS, MACOS USERS TARGETED WITH CRYPTO-AND-INFO-STEALING MALWARE



Downloading anything from the internet is a gamble these days: you might think
that you are downloading an innocuous app from a legitimate firm but thanks to
clever misuse of AI and some social engineering, you can end up with information
and cryptocurrency-stealing malware.

Case in point: Cado Security Labs researchers have recently reported websites
set up to impersonate companies offering a video conferencing app, but
serving/pushing the Realst info-stealer.


PREPARING AND EXECUTING THE SCAM

To start, the crooks create websites with the help of AI tools, to create the
illusion of the websites belonging to legitimate companies. They also set up
accounts on Twitter and Medium, for good measure.

After setting the stage, the crooks reach out to the targets.

In one reported instance, a user was contacted via Telegram by an acquaintance –
or so they thougth. The Telegram account was created to impersonate a contact of
the target, Cado researchers said, and the scammer even sent an investment
presentation from the target’s company to the target.

Other users report being on calls related to Web3 work and being instructed to
download the software.

The domains for the websites and the app offered for download use variations of
the word Meeten.



THE DOWNLOAD PAGE OF THE MEETEN WEBSITE (SOURCE: CADO SECURITY LAB)

“The company regularly changes names, has also gone by Clusee[.]com, Cuesee,
Meeten[.]gg, Meeten[.]us, Meetone[.]gg and is currently going by the name
Meetio,” the researchers shared.

In addition to hosting information stealers, the Meeten websites also contain
code to steal cryptocurrency even before the fake video app is installed.

“Cryptocurrency is stored in wallets which can take many forms. On one end you
have hardware wallets which are standalone devices which store cryptocurrency
keys separate to a computer. Another type of wallet is a web browser extension
which could be attacked via JavaScript in a malicious website,” Paul Scott,
Solutions Engineer at Cado Security told Help Net Security.

“If a user has their wallet unlocked in their browser and visit a malicious
website, the JavaScript on the site automatically checks if there are unlocked
wallets present and will attempt to transfer cryptocoins to a wallet the
attacker controls.”

This particular campaign seems to be aimed at persons working with Web3
technologies (e.g., blockchain), and has been active approximately four months.


THE MALWARE

Tha fake apps are actually macOS and Windows variants of the Realst infostealer,
which was first discovered in 2023 by security researcher iamdeadlyz.

The malware looks to steal Telegram credentials; keychain credentials; browser
cookies and credentials stored in Chrome, Opera, Brave, Edge, Arc, CocCoc and
Vivaldi browsers; Ledger, Trezor, Phantom and Binance wallets; and banking card
details.

Whether Realst is commodity malware or custom-made by a specific threat actor is
currently impossible to say.

“During our research we didn’t find any evidence of it being sold on
marketplaces,” Tara Gould, Threat Research Lead at Cado Security, told Help Net
Security.

“Being that the majority of stealers, and in particular crypto stealers, tend to
be commodity, it may be more likely than custom – but we cannot say for sure at
the moment.”

A definitive attribution of the campaign is also impossible at the moment. “The
targeting of macOS and cryptocurrency, along with the fake company, are in line
with the tactics, techniques, and procedures (TTPs) of North Korean hackers,
however this alone is not enough to make a determination,” Gould said. “There is
also the likely possibility of the campaign being conducted by cybercriminals as
opposed to an APT group.”

The websites serving the malware have since been taken down, but the researchers
advise users to be careful when being approached about business opportunities,
especially through Telegram: “Even if the contact appears to be an existing
contact, it is important to verify the account and always be diligent when
opening links.”






I have read and agree to the terms & conditions

Leave this field empty if you're human:





More about
 * artificial intelligence
 * Cado Security
 * cryptocurrency
 * macOS
 * malware
 * social engineering
 * video conferencing
 * Windows

Share


FEATURED NEWS

 * Windows, macOS users targeted with crypto-and-info-stealing malware
 * December 2024 Patch Tuesday forecast: The secure future initiative impact
 * Building a robust security posture with limited resources

How to leverage the 2024 MITRE ATT&CK Evaluation results



RESOURCES

 * Download: The Ultimate Guide to the CCSP
 * Whitepaper: 9 traits of effective cybersecurity leaders of tomorrow
 * Download: The Ultimate Guide to the CISSP
 * Whitepaper: Securing GenAI
 * Report: Voice of Practitioners 2024 – The True State of Secrets Security




DON'T MISS

 * Resecurity introduces AI-powered GSOC at NATO Edge 2024
 * Windows, macOS users targeted with crypto-and-info-stealing malware
 * How to choose secure, verifiable technologies?
 * December 2024 Patch Tuesday forecast: The secure future initiative impact
 * Building a robust security posture with limited resources




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - editor's choice selection of topics (twice per month)
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2024 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×