Cybersecurity researchers have uncovered a sophisticated information stealer campaign that pretends to be well-known brands to distribute malware like DanaBot and StealC.
This campaign, named Tusk and carried out by Russian-speaking cybercriminals, involves multiple sub-campaigns that use the reputation of popular platforms to deceive users into downloading malware through fake websites and social media accounts.
According to Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi, all active sub-campaigns host the initial downloader on Dropbox, which then delivers additional malware samples like DanaBot and StealC to the victim’s device, along with clippers.
Out of the 19 identified sub-campaigns, three are currently operational. The name “Tusk” comes from the word “Mammoth” used by the threat actors in log messages associated with the initial downloader, with “Mammoth” being a slang term used by Russian e-crime groups to refer to victims.
These campaigns also use phishing tactics to trick victims into giving up their personal and financial information, which is either sold on the dark web or used to gain unauthorized access to gaming accounts and cryptocurrency wallets.
The first sub-campaign, TidyMe, imitates peerme[.]io with a fake site hosted on tidyme[.]io, urging users to download a malicious program for Windows and macOS systems, served from Dropbox.
Further, RuneOnlineWorld (“runeonlineworld[.]io”) poses as a popular MMO game to distribute a downloader that installs DanaBot and StealC on compromised hosts, along with a clipper malware. The clipper monitors clipboard content and replaces copied wallet addresses with the attacker’s to perform fraudulent transactions.
The third active campaign, Voico, masquerades as an AI translator project called YOUS (yous[.]ai) to distribute an initial downloader that requests victims to fill out a registration form, capturing their credentials.
All the sub-campaigns demonstrate the risks posed by cybercriminals who use deceptive tactics to trick victims into downloading malware. By exploiting the trust in well-known platforms, these attackers aim to steal sensitive information and gain financially through various malicious activities.
