Kaspersky’s Global Emergency Response Team (GERT) has uncovered a sophisticated online fraud campaign that is targeting individuals worldwide, aiming to steal cryptocurrency and sensitive personal information. The campaign, believed to be orchestrated by Russian-speaking cybercriminals, exploits popular topics such as web3, cryptocurrency, artificial intelligence (AI), and online gaming to lure victims into their traps.
The campaign primarily targets Windows and macOS users by using fake websites that closely mimic the design and functionality of legitimate services. These counterfeit sites are designed to be convincing, often imitating well-known platforms in the cryptocurrency, gaming, and AI sectors. The high level of detail in the fake websites increases the likelihood of victims being deceived and subsequently falling prey to the attack.
The primary method of attack involves phishing, where victims are enticed to interact with these fraudulent websites. Once engaged, they may inadvertently provide sensitive information, such as cryptocurrency wallet private keys, or download malware onto their devices. The attackers then use this information to access the victims’ cryptocurrency wallets, draining their funds, or to steal various credentials and other valuable data through info-stealing malware.
Kaspersky’s investigation revealed that the campaign is well-organized, with multiple interconnected sub-campaigns targeting different topics. The use of shared infrastructure suggests a coordinated effort by a single actor or group with specific financial motives. In addition to the main topics of cryptocurrency, AI, and gaming, Kaspersky’s Threat Intelligence Portal has identified infrastructure related to 16 other topics, indicating the campaign’s ability to adapt quickly to emerging trends and deploy new malicious operations.
The malware involved in the campaign includes info-stealers like Danabot and Stealc, as well as clippers that are designed to monitor clipboard data. These clippers can replace a copied cryptocurrency wallet address with a malicious one, diverting funds to the attackers. The malware is delivered through files hosted on platforms like Dropbox, which are disguised with user-friendly interfaces to deceive victims into downloading them.
Kaspersky’s analysis also uncovered strings in the malicious code that were communicated to the attackers’ servers in Russian, including the term “Mammoth” (rus. “Мамонт”), a slang word used by Russian-speaking cybercriminals to refer to a “victim.” This discovery led Kaspersky to dub the campaign “Tusk,” drawing an analogy to the financial gain the attackers seek, similar to hunters seeking the valuable tusks of mammoths.
The findings underscore the critical need for robust cybersecurity measures and increased awareness of evolving threats. As cybercriminals continue to exploit popular trends and technologies, individuals and organizations must remain vigilant and adopt advanced security solutions to protect against these sophisticated attacks.
For a detailed technical breakdown of the campaign, Kaspersky has provided further information on their Securelist platform. Additionally, cybersecurity professionals and enthusiasts are encouraged to participate in Kaspersky’s Security Analyst Summit (SAS), scheduled to take place from October 22-25, 2024, in Bali, for deeper insights into the latest cyber threats.