Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
Researchers from Kaspersky Lab have rolled out a report regarding a sophisticated Tusk campaign targeting Windows and macOS users involving the distribution of DanaBot and StealC malware and disguising itself as legitimate brands.
The observed cluster of activity is organized by Russian-speaking hackers and covers several both active and inactive sub-campaigns implementing a bootstrapper on Dropbox, which is responsible for delivering additional malware samples, primarily infothieves and clippers.
Of the 19 sub-campaigns identified, only three are currently active.
The name Tusk is a reference to the slang term Mammoth, which appears in the log entries associated with the original loader.
The campaigns are also notable for the use of various phishing tactics, the main goal of which is to steal personal and financial information, which is subsequently sold on the dark web or used to access gaming accounts and crypto wallets.
The first of the three sub-campaigns, known as TidyMe, mimics peerme[.]io with a similar site hosted on Tidyme[.] io (as well as tidymeapp[.]io and tidyme[.]app), which distributes malware for Windows and macOS.
The downloader is an Electron application that, when launched, prompts the victim to enter a displayed CAPTCHA, after which the application's main interface is displayed, while two additional malicious files are secretly downloaded and executed in the background.
Both types of malware uncovered during the campaign are Hijack Loaders, which end up launching a strain of the StealC malware capable of collecting a wide range of information.
The second sub-campaign is RuneOnlineWorld ("runeonlineworld[.]io"), involves the use of a fake site mimicking an online multiplayer game called Rise Online World to distribute a similar loader that paves the way for DanaBot and StealC on the compromised hosts.
In the course of this campaign, Hijack Loader also distributes Go-based clipper malware, designed to monitor clipboard contents and spoof crypto wallet addresses to intercept transactions.
Rounding out the active campaigns is Voico, which poses as a YOUS smart translator (yous[.]AI) with a malicious counterpart dubbed Voico[.]IO, in order to distribute a bootstrapper that, once installed, asks the victim to fill out a registration form containing their credentials and then logs the information to the console.
The final payloads exhibit the same behavior as in the second sub-campaign, the only difference being that the StealC malware used in this case is interacting with another C2.
All campaigns demonstrate the skillful use of social engineering techniques, including phishing, combined with multi-stage malware delivery mechanisms, highlighting the advanced capabilities of the threat actors involved.
• Source: https://securelist.com/tusk-infostealers-campaign/113367/
The observed cluster of activity is organized by Russian-speaking hackers and covers several both active and inactive sub-campaigns implementing a bootstrapper on Dropbox, which is responsible for delivering additional malware samples, primarily infothieves and clippers.
Of the 19 sub-campaigns identified, only three are currently active.
The name Tusk is a reference to the slang term Mammoth, which appears in the log entries associated with the original loader.
The campaigns are also notable for the use of various phishing tactics, the main goal of which is to steal personal and financial information, which is subsequently sold on the dark web or used to access gaming accounts and crypto wallets.
The first of the three sub-campaigns, known as TidyMe, mimics peerme[.]io with a similar site hosted on Tidyme[.] io (as well as tidymeapp[.]io and tidyme[.]app), which distributes malware for Windows and macOS.
The downloader is an Electron application that, when launched, prompts the victim to enter a displayed CAPTCHA, after which the application's main interface is displayed, while two additional malicious files are secretly downloaded and executed in the background.
Both types of malware uncovered during the campaign are Hijack Loaders, which end up launching a strain of the StealC malware capable of collecting a wide range of information.
The second sub-campaign is RuneOnlineWorld ("runeonlineworld[.]io"), involves the use of a fake site mimicking an online multiplayer game called Rise Online World to distribute a similar loader that paves the way for DanaBot and StealC on the compromised hosts.
In the course of this campaign, Hijack Loader also distributes Go-based clipper malware, designed to monitor clipboard contents and spoof crypto wallet addresses to intercept transactions.
Rounding out the active campaigns is Voico, which poses as a YOUS smart translator (yous[.]AI) with a malicious counterpart dubbed Voico[.]IO, in order to distribute a bootstrapper that, once installed, asks the victim to fill out a registration form containing their credentials and then logs the information to the console.
The final payloads exhibit the same behavior as in the second sub-campaign, the only difference being that the StealC malware used in this case is interacting with another C2.
All campaigns demonstrate the skillful use of social engineering techniques, including phishing, combined with multi-stage malware delivery mechanisms, highlighting the advanced capabilities of the threat actors involved.
• Source: https://securelist.com/tusk-infostealers-campaign/113367/
