Cybercriminals have created an elaborate, global reputation network — comprised of GitHub repositories, SourceForge projects, bogus YouTube videos, and other online assets — in a wide-scale cryptocurrency heist that targets both Windows and macOS platforms. 

While the campaign does not specifically target enterprises, it demonstrates an evolution in how threat actors no longer need to rely on traditional channels of malware distribution and instead can go right to the source using advanced social engineering, according to researchers.

Check Point Software uncovered the campaign, which spreads a RUST-based clipboard hijacking malware targeting “users who are looking for shortcuts and quick profits — particularly crypto owners and online crash‑game gamblers and traders who are attracted by promises of automated gains and ‘predictable’ outcomes,” according to a post published last week. 

What’s arguably most notable about the campaign, however, is not necessarily who it’s targeting or the malware itself, but the extensive multichannel promotion that attackers used to convince users that they will have an “unfair advantage” in their crypto activity by downloading their fake tools.

Related:Salesforce Data Thefts Continue via Klue App Compromise

The ultimate payload of the campaign is a clipboard hijacker that has Windows and macOS versions. Both versions are designed for stealing cryptocurrency from their targets by repeatedly obtaining crypto wallet addresses from their clipboards and maintaining persistence on the compromised device. Cryptocurrencies and platforms targeted include: Bitcoin, Ethereum, Monero, Binance Chain, and Solana, among others.

Coordinated Reputation Manipulation

The hub of the campaign is a WordPress-based phishing site where cybercriminals offer “tools” such as decryptors that they claim give users an advantage in crypto trading. But the promotion of the malware-hiding downloads extends also to GitHub and SourceForge projects, promoted by fake accounts that provide positive feedback for the projects on their respective platforms. 

Additionally, the attackers created a dedicated YouTube channel that uses artificial intelligence (AI)-generated narrators, “suspicious view spikes, and highly positive (likely coordinated) comments,” according to the post, all of which further create an illusion of popularity and trustworthiness for the fake tools. 

The campaign also uses the malware scanning platform VirusTotal, where some samples from this campaign receive benign votes and “safe” comments. “Combined with the already low detection rate, this creates a misleading impression of safety that can influence both end users and reputation‑based detection systems,” according to the post. 

Related:INC Ransomware Thrives by Mastering the Basics

The researchers discovered threat actors were even going so far as to use a legitimate online news sites to publish fake stories about the release of the decryptor advertised on the phishing site, promoting the tool’s fake capabilities and including links back to the phishing page. “It is unclear whether the threat actor published them through paid advertisements that were later removed by the news outlets after being notified of their malicious nature, or whether there is a malicious service — or a set of compromised news outlets — that offers this kind of fraudulent promotion on legitimate websites,” Check Point researchers wrote.

New Approach to Malware Delivery

Eli Smadja, group manager, products R&D at Check Point Software, tells Dark Reading it’s definitely unusual for cybercriminals to go to such great lengths to distribute this type of malware, as it is not common to see such a wide range of online reputational sources being used to build trust and credibility.

“What makes this unique is how attackers combined multiple trusted platforms to build credibility, even manipulating VirusTotal — typically used by security researchers — to make detections appear as false positives and reinforce a false sense of legitimacy,” he says. 

Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices

This approach demonstrates a paradigm shift in how attackers can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to gain trust with prospective victims and achieve greater success with such campaigns, according to Check Point.

“From a user’s perspective, the ability to manipulate sentiment and reputation on platforms like VirusTotal marks an important evolution in how threat actors shape trust,” according to the post. “Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims. 

Defending Against Novel Trust Campaigns

Given that attackers are expanding their options for how to deliver malware, defenders should regard online reputation with suspicion. Even corporate users can slip malware downloads past enterprise defenses, so security teams also should take heed of the new trust-building strategies used in this campaign, according to Check Point.

Recommended actions for security teams include regarding community reputation signals as potentially adversarial, and educating users about cryptocurrency-focused scams promising automated profits, prediction tools, or trading advantages.

Endpoint protection solutions also are useful, as they “can help block the malicious code, as the websites promoting it are not inherently malicious,” Smadja tells Dark Reading. To help bolster this protection, corporate defenders can monitor for clipboard-hijacking behavior in endpoint detection programs, particularly clipboard listeners interacting with cryptocurrency wallet patterns.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *