A campaign aimed at Web3 professionals has been detected, employing fake meeting applications to distribute malware and harvest credentials from various websites, applications, and cryptocurrency wallets, as reported by Cado Security Labs.
Fraudsters are utilizing artificial intelligence to generate and fill websites and social media accounts that resemble authentic businesses. This strategy is designed to attract potential victims and convince them to download a meeting application, as outlined by Cado’s threat research lead, Tara Gould, in a report published on December 6.
The application in question is named “Meeten,” although it is currently operating under the alias “Meetio” and frequently changes its name. Previously, it has been known as Clusee.com, Cuesee, Meeten.gg, Meeten.us, and Meetone.gg.
Once downloaded, the app incorporates a Realst info stealer that seeks out sensitive information, including Telegram credentials, banking card details, and data related to cryptocurrency wallets, which it then transmits back to the attackers.
The info stealer is also capable of scanning for browser cookies and autofill credentials from applications such as Google Chrome and Microsoft Edge, as well as information pertaining to Ledger, Trezor, and Binance Wallets.
The operation may involve social engineering tactics and impersonation. One individual reported being approached on Telegram by an acquaintance who claimed to discuss a business opportunity, only to later reveal themselves as a fraudster.
The perpetrator demonstrated a sophisticated, targeted approach, employing a presentation from the victim's company to enhance credibility, Mr. Gould observed.
Further, Gould reported additional accounts of individuals participating in Web3-related calls, downloading software, and subsequently experiencing cryptocurrency losses.
To bolster their legitimacy, the fraudsters created a company website with AI-generated content, including blog posts, product descriptions, and associated social media profiles on platforms like X and Medium.
Recent discussions have primarily focused on AI's potential for malware creation; however, threat actors are increasingly exploiting AI to generate content for their operations, Gould observed.
This allows them to rapidly produce authentic-seeming website content for scams, significantly hindering the detection of fraudulent websites.
The counterfeit websites prompt users to download software laden with malware and also incorporate Javascript designed to siphon off cryptocurrency stored in web browsers, even prior to the installation of any malware.
Malicious actors have created variants compatible with both macOS and Windows operating systems. Mr. Gould's assessment indicates this activity has persisted for roughly four months.
Similar tactics have been observed among other fraudulent entities. In August, blockchain investigator ZackXBT reported identifying twenty-one developers, suspected to be North Korean nationals, involved in multiple cryptocurrency projects under assumed identities.
The FBI issued a September alert concerning North Korean cybercriminals targeting cryptocurrency and decentralized finance organizations with malware concealed within fraudulent job postings.