Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings.
“The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy,” Cado Security researcher Tara Gould said. “The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer.”
The activity has been codenamed Meeten by the security company, owing to the use of names such as Clusee, Cuesee, Meeten, Meetone, and Meetio for the bogus sites.
The attacks entail approaching prospective targets on Telegram to discuss a potential investment opportunity, urging them to join a video call hosted on one of the dubious platforms. Users who end up on the site are prompted to download a Windows or macOS version depending on the operating system used.
Once installed and launched on macOS, users are greeted with a message that claims “The current version of the app is not fully compatible with your version of macOS” and that they need to enter their system password in order for the app to work as expected.
This is accomplished by means of an osascript technique that has been adopted by several macOS stealer families such as Atomic macOS Stealer, Cuckoo, MacStealer, Banshee Stealer, and Cthulhu Stealer. The end goal of the attack is to steal various kinds of sensitive data, including from cryptocurrency wallets, and export them to a remote server.
The malware is also equipped to steal Telegram credentials, banking information, iCloud Keychain data, and browser cookies from Google Chrome, Microsoft Edge, Opera, Brave, Arc, Cốc Cốc, and Vivaldi.
The Windows version of the app Nullsoft Scriptable Installer System (NSIS) file that’s signed with a likely stolen legitimate signature from Brys Software Ltd. Embedded within the installer is an Electron application that’s configured to retrieve the stealer executable, a Rust-based binary, from an attacker-controlled domain.
“Threat actors are increasingly using AI to generate content for their campaigns,” Gould said. “Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams, and makes it more difficult to detect suspicious websites.”
This is not the first time fake meeting software brands have been leveraged to deliver malware. Earlier this March, Jamf Threat Labs revealed that it detected a counterfeit website called meethub[.]gg to propagate a stealer malware that shares overlaps with Realst.
Then in June, Recorded Future detailed a campaign dubbed markopolo that targeted cryptocurrency users with bogus virtual meeting software to drain their wallets by using stealers like Rhadamanthys, Stealc, and Atomic.
The development comes as the threat actors behind the Banshee Stealer macOS malware shut down their operations after the leak of their source code. It’s unclear what prompted the leak. The malware was advertised on cybercrime forums for a monthly subscription of $3,000.
It also follows the emergence of new stealer malware families like Fickle Stealer, Wish Stealer, Hexon Stealer, and Celestial Stealer, even as users and businesses searching for pirated software and AI tools are being targeted with RedLine Stealer and Poseidon Stealer, respectively.
“The attackers behind this campaign are clearly interested in gaining access to organizations of Russian-speaking entrepreneurs who use software to automate business processes,” Kaspersky said of the RedLine Stealer campaign.