Alert: Markopolo’s Deception Targeting Crypto Users via False Conference Software
An individual known as markopolo has been identified as the mastermind behind a widespread multi-platform scheme that aims at individuals who deal with virtual money on social networks by using stealing software that acquires data and steals cryptocurrency.
The attack sequences involve the utilization of a fake online conference tool called Vortax (along with 23 other applications) that are employed as a means to distribute Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS), as reported by Recorded Future’s Insikt Group in their recent analysis.
“This operation, mainly aimed at those involved in cryptocurrency, highlights a substantial increase in security threats for macOS and exposes an extensive network of malicious software applications,” the cybersecurity firm pointed out, referring to markopolo as “flexible, adaptable, and versatile.”
There is proof linking the Vortax operation to previous activities that utilized bait phishing approaches to target macOS and Windows users through Web3 gaming enticements.
An integral part of the dishonest procedure is the effort to validate Vortax on social media and the web, with the perpetrators running a dedicated Medium blog full of suspected AI-generated posts and owning a verified profile on X (previously Twitter) carrying a gold badge.
Getting the corrupted application necessitates victims to provide a RoomID, a special identifier for a conference invitation that’s shared via responses to the Vortax profile, private messages, and currency-related Discord and Telegram groups.
Once the user inputs the mandatory Room ID on the Vortax site, they are directed to a Dropbox link or an external site that offers an installer for the software, leading to the initiation of the data-stealing malware.
“The individual behind this activity, known as markopolo, uses shared hosting and C2 infrastructure for all versions,” as per Recorded Future’s statement.
“This implies that the individual relies on convenience to carry out a flexible operation, quickly abandoning deceptions once identified or no longer yielding significant results, and moving on to new enticements.”
The discoveries underscore the prominent threat posed by data-stealing malware, particularly following the recent campaign targeting Snowflake.
These events coincide with Enea’s disclosure of SMS scammers exploiting cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage to lure users into interacting with fraudulent links that direct to phishing sites collecting user data.
“Cybercriminals have figured out a method to exploit the cloud storage feature by hosting static websites (usually .HTML files) with embedded spam URLs in the code,” stated security researcher Manoj Kumar in his report.
“The URL pointing to the cloud storage is shared via text messages, appearing legitimate and thus bypassing firewall restrictions. Upon clicking these links, mobile users are redirected to the stored static website in the storage bucket.”
Eventually, the website automatically redirects users to spam URLs embedded in the page or dynamically created URLs using JavaScript, persuading users to disclose personal and financial details.
“Since the primary domain of the URL includes legitimate URLs/domains from platforms like Google Cloud Storage, normal URL scans find it challenging to detect it,” Kumar explained. “Identifying and stopping URLs of this nature presents an ongoing challenge due to their association with respected domains of well-known companies.”
About Author
