Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC.
The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts.
“All the active sub-campaigns host the initial downloader on Dropbox,” Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi said. “This downloader is responsible for delivering additional malware samples to the victim’s machine, which are mostly info-stealers (DanaBot and StealC) and clippers.”
Of the 19 sub-campaigns identified to date, three are said to be currently active. The name “Tusk” is a reference to the word “Mammoth” used by the threat actors in log messages associated with the initial downloader. It’s worth noting that mammoth is a slang term often used by Russian e-crime groups to refer to victims.
The campaigns are also notable for employing phishing tactics to deceive victims into parting with their personal and financial information, which is then sold on the dark web or used to gain unauthorized access to their gaming accounts and cryptocurrency wallets.
The first of the three sub-campaigns, known as TidyMe, mimics peerme[.]io with a lookalike site hosted on tidyme[.]io (as well as tidymeapp[.]io and tidyme[.]app) that solicits a click to download a malicious program for both Windows and macOS systems that’s served from Dropbox.
The downloader is an Electron application that, when launched, prompts the victim to enter the CAPTCHA displayed, after which the main application interface is displayed, while two additional malicious files are covertly fetched and executed in the background.
Both the payloads observed in the campaign are Hijack Loader artifacts, which ultimately launch a variant of the StealC stealer malware with capabilities to harvest a wide range of information.
RuneOnlineWorld (“runeonlineworld[.]io”), the second sub-campaign, involves the use of a bogus website simulating a massively multiplayer online (MMO) game named Rise Online World to distribute a similar downloader that paves the way for DanaBot and StealC on compromised hosts.
Also distributed via Hijack Loader in this campaign is a Go-based clipper malware that’s designed to monitor clipboard content and substitute wallet addresses copied by the victim with an attacker-controlled Bitcoin wallet to perform fraudulent transactions.
Rounding off the active campaigns is Voico, which impersonates an AI translator project called YOUS (yous[.]ai) with a malicious counterpart dubbed voico[.]io in order to disseminate an initial downloader that, upon installation, asks the victim to fill out a registration form containing their credentials and then logs the information on the console.
The final payloads exhibit similar behavior as that of the second sub-campaign, the only distinction being the StealC malware used in this case communicates with a different command-and-control (C2) server.
“The campaigns […] demonstrate the persistent and evolving threat posed by cybercriminals who are adept at mimicking legitimate projects to deceive victims,” the researchers said. “The reliance on social engineering techniques such as phishing, coupled with multistage malware delivery mechanisms, highlights the advanced capabilities of the threat actors involved.”
“By exploiting the trust users place in well-known platforms, these attackers effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately achieve financial gain.”