New Meeten Malware Attacking macOS And Windows Users To Steal Logins

A sophisticated crypto-stealing malware, Realst, has been targeting Web3 professionals, as the threat actors behind this campaign have employed AI-generated content to create fake companies, such as “Meetio,” to appear legitimate. 

By tricking victims into participating in video calls, cybercriminals can convince them to download a malicious meeting application from a compromised website. 

Once installed, Realst steals sensitive information, including cryptocurrency wallet credentials and private keys. This ongoing campaign, which has been active for approximately four months, underscores the increasing sophistication of cyber threats in the Web3 space.

The threat actor, operating under various aliases like Meeten, Clusee, and Meetio, employs sophisticated social engineering tactics to deceive victims into downloading malicious software.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

They create realistic company websites and social media profiles to establish credibility, and by targeting specific individuals, they impersonate known contacts or leverage existing business relationships to lure victims into scheduling calls. 

Once engaged, they manipulate the conversation to persuade victims to download the information-stealing software, often under the guise of legitimate business opportunities or Web3 projects, which allows the threat actor to gain unauthorized access to sensitive information, including cryptocurrency wallets, potentially leading to significant financial loss.

The macOS malware, disguised as a legitimate application, leverages social engineering to trick victims into downloading and executing a malicious package.

Once installed, the malware stealthily accesses sensitive data from various sources, including browsers, cryptocurrency wallets, and system credentials. 

It is then compressed and exfiltrated to a remote server. Simultaneously, the malware collects system and build information, sending it to a command-and-control server for further analysis and potential future attacks. 

Cado Security Labs discovered a Windows version of Meeten malware named MeetenApp.exe, which is an NSIS installer with a stolen legitimate signature from Brys Software. 

The installer extracts an Electron application with compiled Javascript files for obfuscation, which gathers system information, including HWID, geo IP, hostname, OS, users, cores, RAM, disk size, and running processes, and sends it to a remote server.  

UpdateMC is a malicious Rust-based binary designed to steal sensitive user data, which targets various data stores, including Telegram credentials, banking information, browser data, and cryptocurrency wallet details. 

The stolen data is compressed into a ZIP file and exfiltrated to a specific IP address. To ensure persistence, the malware adds a registry key to automatically run on system startup. 

Recent cyberattacks leverage AI to trick users into downloading malware disguised as legitimate Electron applications, involving social engineering and AI-generated content, making it difficult to identify malicious websites. 

Threat actors use artificial intelligence to generate content for websites that is convincing and realistic, which increases the likelihood that attacks will be successful. 

To protect against these threats, users should be cautious when receiving unsolicited messages, especially on platforms like Telegram, while verifying the source of messages and avoiding clicking on suspicious links are crucial steps to mitigate the risk of infection.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses