Analysis Summary

Researchers have issued a warning about a new fraud campaign that uses phony video conferencing apps to distribute Realst, an information stealer, to Web3 employees under the pretense of phony business meetings.

The malware's threat actors have used artificial intelligence to create fake businesses to give them more respectability. Targets are contacted by the company to arrange a video conversation, which prompts the user to download the Realst infostealer meeting program from the website. The researchers have given the activity the codename Meeten because the fake websites have names like Clusee, Cuesee, Meeten, Meetone, and Meetio.

To explore a possible investment opportunity, the attackers approach potential targets on Telegram and invite them to participate in a video chat that is being conducted on one of the questionable sites. Depending on the operating system, users who visit the website are asked to download either the Windows or macOS version. The statement "The current version of the app is not fully compatible with your version of macOS" appears when users install and start the software on macOS. They are also informed that they must enter their system password for the app to function properly.

Several macOS stealer families, including Atomic macOS Stealer, Cuckoo, MacStealer, Banshee Stealer, and Cthulhu Stealer, have adopted this osascript approach to achieve this. The attack's ultimate objective is to export sensitive data to a distant server by stealing it from a variety of sources, including cryptocurrency wallets. Additionally, the malware can collect browser cookies from Google Chrome, Microsoft Edge, Opera, Brave, Arc, Cốc Cốc, Vivaldi, Telegram credentials, financial information, and iCloud Keychain data.

The Nullsoft Scriptable Installer System (NSIS) file for Windows, is signed with a probably stolen authentic signature from Brys Software Ltd. An Electron application that is set up to retrieve the stealer executable, a Rust-based binary, from an attacker-controlled domain is embedded in the installation. AI is being used more and more by threat actors to create content for their campaigns. Threat actors can quickly produce genuine website content with AI, which gives their schemes more validity and makes it harder to identify dubious websites.

This is not the first instance of malware being distributed using phony meeting software brands. Researchers reported earlier in March that they had discovered a fake website named meethub[.]gg that was used to spread a stealer malware that was similar to Realst. Then, in June, experts revealed an operation called Markopolo that used phony virtual meeting software to target Bitcoin users and use stealers like Rhadamanthys, Stealc, and Atomic to drain their wallets.

Impact

• Sensitive Data Theft
• Identity Theft
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

SHA-256

• 5e6cc2ed3876197561ba60a8d8aa7042d025e997cc1046ea351b5b2bc48f9dd7
• 8d731b0bd8c0cda9f923ed0980ea76d57ba036c3a73acb9f4ac8ffe4e4734b83
• aea0bfbba8dd4f3cb99b33792e044af653c2ea07af960f9587d389160497d647
• be012ac8a3f046e56e1c6a293ae567462c01216d024032c4225f656d8002691e

SHA1

• 80b91f12ac229bd0979e3980aeb79691996ebf79
• 131bdc5089172486da69c6b7008ea836aa75737c
• 10b6c73ecc4865c438464ee28b3b2533f1e5b801
• 6757e75085a4fb93d29456a2916754932c1468a3

URL

• http://172.104.133.212:8880/new_analytics
• http://172.104.133.212:8880/opened
• http://172.104.133.212:8880/metrics
• http://172.104.133.212:8880/sede
• http://deliverynetwork.observer/qfast/UpdateMC.zip
• http://deliverynetwork.observer/qfast/AdditionalFilesForMeet.zip

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.