Russian Hackers Exploiting Fake Brand Platforms to Propagate DanaBot and StealC Malware
Cybersecurity professionals have brought attention to a sophisticated data theft campaign that mimics legitimate trademarks to disseminate malicious software like DanaBot and StealC.
The network of operations, orchestrated by cybercriminals fluent in Russian and collectively known as Tusk, encompasses various smaller campaigns, utilizing the reputability of the platforms to deceive individuals into downloading the malware using deceitful websites and social media profiles.
“All the current sub-campaigns host the initial downloader on Dropbox,” as mentioned by Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi in astatement. “This tool is accountable for delivering additional strains of malware to the victim’s device, primarily comprising info-thieves (DanaBot and StealC) and clippers.”
Out of the 19 sub-campaigns identified presently, three are confirmed to be active. The moniker “Tusk” stems from the term “Mammoth” used by the threat actors in log message entries connected with the initial downloader. It’s important to note that mammoth is a slang term often utilized by Russian e-crime factions to describe victims.
The campaigns are also prominent for utilizing phishing strategies to trick victims into divulging their personal and financial details, which are then traded on the dark web or exploited to unlawfully access their gaming accounts and cryptocurrency wallets.
The primary sub-campaign, named TidyMe, mimics peerme[.]io with a counterfeit site hosted on tidyme[.]io (also tidymeapp[.]io and tidyme[.]app) that entices clicks to download a malevolent program for Windows and macOS systems served from Dropbox.
The downloader is an Electron application that, upon launch, requests the victim to input the displayed CAPTCHA, following which the main application interface is presented, while two additional malicious files are stealthily retrieved and executed in the background.
Both the payloads witnessed in the campaign are Hijack Loader artifacts, ultimately initializing a variation of the StealC stealer malware with functionalities to acquire a broad spectrum of data.
RuneOnlineWorld (“runeonlineworld[.]io”), the second sub-campaign, involves the deployment of a counterfeit website imitating a large multiplayer online (MMO) game named Rise Online World to distribute a comparable downloader facilitating the entry of DanaBot and StealC on compromised systems.
Also propagated via Hijack Loader in this campaign is a clipper malware based on Go, intended to supervise the content stored in the clipboard and swap wallet addresses copied by the victim with an adversary-controlled Bitcoin wallet to execute deceitful transactions.
Wrapping up the ongoing campaigns is Voico, masquerading as an AI translator project named YOUS (yous[.]ai) with a spiteful sibling known as voico[.]io to circulate an initial downloader that, post-installation, requests the victim to complete a registration form containing their credentials and subsequently logs the data on a console.
The final malware instances showcase similar conduct as the second sub-campaign, with the sole discrepancy being the usage of StealC malware in this instance connecting with a distinct command-and-control (C2) server.
“The operations […] exhibit the persistent and evolving hazard posed by cyber outlaws who are skilled at imitating legitimate initiatives to deceive targets,” shared the researchers. “The dependency on social engineering methods such as phishing, coupled with multi-phase malware dissemination mechanisms, accentuates the sophisticated capabilities of the malicious actors engaged.”
“By gaming the faith individuals have in established platforms, these culprits efficiently roll out an array of malware designed to pilfer confidential information, compromise systems, and ultimately secure monetary benefits.”
About Author
