‘Tusk’ alert, an active information campaign and cryptocurrency theft

Kaspersky’s Global Emergency Response Team (GERT) has discovered a fraud campaign. aimed at Windows and macOS users worldwidewith the aim of stealing cryptocurrencies and personal information.

Attackers exploit popular themes to lure victims with fake web pages that closely mimic the design and interface of various legitimate services. Recently, they emulated a cryptocurrency platform, an online role-playing game, and an AI translator. Although there are slight differences between elements of the malicious pages, such as the name and URL, they look polished and sophisticated, increasing the likelihood of a successful attack.

Victims are encouraged to interact with these fake settings through phishing. The websites are designed to trick people into revealing sensitive information, such as private passwords to their cryptocurrency wallets, or downloading malware. Attackers can then connect to victims’ cryptocurrency wallets via the fake website and empty their funds, or steal various credentials, wallet details, and other information using data-stealing malware.

“The correlation between different parts of this campaign and their shared infrastructure suggests a well-organized operation, possibly linked to a single actor or group with specific financial motives. In addition to the three sub-campaigns focusing on cryptocurrency, AI and gaming topicsour ThreatIntelligence Portal helped identify the infrastructure for another 16 themes, either previous sub-campaigns, withdrawn, or new ones not yet launched. This demonstrates the threat actor’s ability to quickly adapt to trending topics and deploy new malicious operations in response. It highlights the need for strong security solutionsand increased cyber security literacy to protect against emerging threats”says Ayman Shaaban, head of the Incident Response Unit of GERT Kaspersky.

Kaspersky found strings in the malicious code sent to the Russian servers of the attackers. the word “Mammal” (rus. “mammoth”)slang used by Russian threat actors to refer to a “victim,” appeared in server communications and malware download files. Kaspersky named the campaign ‘Tusk’ to emphasize financial gainmaking an analogy with mammals that were hunted for their valuable teeth.

The campaign is spreading information-stealing malware such as Danabot and Stealc, as well as clippers, for example an open source version written in Go (Malware varies depending on the theme of the campaign). Infostealers are designed to steal sensitive information such as credentials, while scrapers monitor clipboard data. If a cryptocurrency wallet address is copied to the clipboard, the cutter replaces it with a malicious address.

The malware loader files are hosted on Dropbox. When victims download them, they are met with easy-to-use interfaces that act as cloaks for the malware, prompting them to log in, register, or stay on a static page. Meanwhile, the files The remaining payloads and malicious payloads are automatically downloaded and installed on your system.