Kaspersky has uncovered an online fraud campaign targeting Windows and macOS users worldwide, aiming to steal cryptocurrency and sensitive information.
Orchestrated by Russian-speaking cybercriminals, the attackers exploit popular topics like web3, crypto, AI, and online gaming to lure victims with fake websites. These sites, which closely mimic legitimate services such as crypto platforms, online role-playing games, and AI translators, are polished and sophisticated.
Despite minor differences in elements like names and URLs, the convincing design of these malicious sites increases the likelihood of successful attacks. The campaign spreads info-stealing and clipper malware, posing a significant threat to individuals globally.
Victims are enticed to interact with these fake sites through phishing tactics. The websites are crafted to deceive individuals into revealing sensitive information, such as crypto-wallet private keys, or to download malware. Once the victims engage, the attackers can either access and drain their cryptocurrency wallets via the fake site or use the info-stealing malware to capture various credentials, wallet details, and other personal information.
“The correlation between different parts of this campaign and their shared infrastructure suggests a well-organised operation, possibly linked to a single actor or group with specific financial motives,” says Ayman Shaaban, Head of Incident Response Unit, Global Emergency Response Team, Kaspersky.
“In addition to the three sub-campaigns targeting crypto, AI, and gaming topics, our Threat Intelligence Portal has helped to identify infrastructure for 16 other topics — either older, retired sub-campaigns or new ones not yet launched. This demonstrates the threat actor’s ability to swiftly adapt to trending topics and deploy new malicious operations in response. It underscores the critical need for robust security solutions and enhanced cyber literacy to protect against evolving threats.”
Kaspersky discovered strings in the malicious code sent to the attackers’ servers, written in Russian. The term “Mammoth,” used by Russian-speaking cybercriminals to refer to a “victim,” appeared in both server communications and malware download files. Kaspersky named the campaign “Tusk” to highlight its focus on financial gain, drawing a parallel to the way mammoths were hunted for their valuable tusks.
The campaign spreads info-stealing malware like Danabot and Stealc, as well as clippers, including an open-source variant written in Go. The specific malware varies depending on the campaign’s theme. Infostealers are designed to capture sensitive information such as credentials, while clippers monitor clipboard data, replacing a copied cryptocurrency wallet address with a malicious one.
Malware loader files are hosted on Dropbox. When victims download them, they encounter user-friendly interfaces that disguise the malware, prompting them to log in, register, or stay on a static page. Meanwhile, the remaining malicious files and payloads are automatically downloaded and installed onto their systems.