Sophisticated Scam Targets Web3 Professionals
Cybersecurity experts have uncovered a new wave of cyberattacks exploiting fake video conferencing apps to deliver malware aimed at Web3 professionals. The campaign, dubbed Meeten by Cado Security, involves the distribution of an information stealer known as Realst through fraudulent meeting platforms such as Clusee, Cuesee, Meeten, Meetone, and Meetio.
Hackers establish fake companies using AI-generated content to bolster their credibility. They then approach victims on platforms like Telegram, proposing fake video conferencing apps business meetings to discuss investment opportunities. Victims are directed to download a meeting application from a deceptive website, unknowingly installing the Realst malware. The attacks are particularly sophisticated, with tailored installers for both Windows and macOS operating systems, each designed to steal sensitive user data.
How the Malware Operates?
Upon installation on macOS, the app claims incompatibility with the user’s macOS version, prompting them to enter their system password. This tactic employs an osascript technique previously used in other macOS malware families like Atomic macOS Stealer and MacStealer. The Realst malware then exfiltrates sensitive data, including cryptocurrency wallet details, Telegram credentials, iCloud Keychain data, browser cookies, and banking information.
The Windows version utilizes a Nullsoft Scriptable Installer System (NSIS) file signed with a potentially stolen certificate. Once launched, the installer retrieves a Rust-based executable from a hacker-controlled domain. The malware targets various browsers, including Google Chrome, Microsoft Edge, Opera, Brave, and others, to extract data.
AI tools significantly enhance the attackers’ operations. “Threat actors are increasingly leveraging AI to generate realistic content for their campaigns, making it more difficult to identify suspicious websites,” said Tara Gould, a researcher at Cado Security.
An Escalating Trend in Cybercrime
The Meeten campaign follows a series of similar cyberattacks using counterfeit meeting software. In March 2023, Jamf Threat Labs reported a fake platform called meethub[.]gg that deployed malware sharing similarities with Realst. In June, Recorded Future revealed a campaign named markopolo, which used fraudulent virtual meeting tools to target cryptocurrency users with stealers like Rhadamanthys and Atomic.
Meanwhile, other malware families, including Fickle Stealer, Wish Stealer, and Celestial Stealer, have emerged, exploiting the demand for pirated software and AI tools. RedLine Stealer and Poseidon Stealer are also being deployed to infiltrate businesses and individual users searching for unauthorized software solutions.
The shutdown of the Banshee Stealer macOS malware operation after a leak of its source code highlights the fluid nature of cybercrime. Still, the rise of new malware families underscores the persistent threat.
This campaign’s focus on Web3 professionals, particularly those in Russian-speaking business communities, reflects an ongoing trend of targeting cryptocurrency users and blockchain-based enterprises. Cybersecurity experts urge organizations and individuals to remain vigilant, verify the legitimacy of fake video conferencing apps sources, and employ robust security measures to mitigate the risk of falling victim to such sophisticated attacks.
