Cyber Crime
Hackers Use Fake Video Conferencing Apps to Deploy ‘Realst’ Malware, Targeting Web3 Professionals
Cybersecurity researchers have uncovered a sophisticated scam campaign leveraging counterfeit video conferencing applications to deploy an information-stealing malware called Realst, targeting individuals in the Web3 sector. The malicious operation, disguised as business meetings, has been dubbed Meeten by Cado Security, named after the fake platforms it utilizes, such as Clusee, Cuesee, Meeten, Meetone, and Meetio.
Tactics to Establish Legitimacy
According to Tara Gould, a researcher at Cado Security, the threat actors have established fake companies, employing AI-generated content to enhance their authenticity. “The attackers set up fraudulent organizations and reach out to their targets under the pretense of scheduling a video call. Users are then directed to download a fake meeting application from the company’s website, which installs the Realst infostealer,” Gould explained.
Targeting Through Telegram
The attackers primarily approach potential victims on Telegram, presenting lucrative investment opportunities. They then direct the targets to join video calls hosted on malicious platforms. Depending on the victim’s operating system, the scam prompts users to download an app for Windows or macOS.
On macOS, victims are tricked into entering their system password under the guise of resolving compatibility issues. This method employs the osascript technique, previously used by macOS stealer families like Atomic macOS Stealer, MacStealer, and Cthulhu Stealer. The malware’s primary objective is to steal sensitive data, including cryptocurrency wallet details, Telegram credentials, banking information, iCloud Keychain data, and browser cookies.
Technical Execution
The Windows version uses a Nullsoft Scriptable Installer System (NSIS) file signed with a potentially stolen legitimate certificate from Brys Software Ltd. Once installed, it deploys an Electron-based application to fetch the malware executable—a Rust-based binary—from a domain controlled by the attackers.
ALSO READ : Nominations Open for FCRF Excellence Awards in Cyber Policing: Click Here for Details
Increasing Use of AI in Cybercrime
“Threat actors are leveraging AI to create realistic content, making their websites appear more credible and harder to identify as fraudulent,” Gould noted. This technique underscores the growing sophistication of cybercrime campaigns.
Not a New Tactic
The tactic of using fake video conferencing software to distribute malware is not new. In March, Jamf Threat Labs uncovered a similar campaign using a counterfeit website, meethub[.]gg, to distribute malware with overlaps to Realst. Similarly, in June, Recorded Future detailed a campaign targeting cryptocurrency users with malicious virtual meeting software to deploy stealers like Rhadamanthys, Stealc, and Atomic.
Broader Implications
The discovery of the Meeten campaign comes amidst the proliferation of new stealer malware families like Fickle Stealer, Wish Stealer, Hexon Stealer, and Celestial Stealer. Additionally, businesses searching for pirated software and AI tools have been targeted with malware like RedLine Stealer and Poseidon Stealer.
Kaspersky researchers highlighted the motives of similar campaigns, noting that attackers often target organizations run by Russian-speaking entrepreneurs using automated business tools. This latest revelation underscores the importance of vigilance in the face of increasingly advanced cyber threats.
A Call for Cybersecurity Awareness
With threat actors continually evolving their methods, businesses and individuals are urged to remain cautious, verify the authenticity of applications, and implement robust cybersecurity measures to protect sensitive information from being compromised.
