Adrian Johnson
TLDR:
- A sophisticated information stealer campaign, orchestrated by Russian-speaking cybercriminals codenamed Tusk, is using fake brand sites to distribute malware like DanaBot and StealC.
- The malware campaigns trick users into downloading malicious programs by impersonating legitimate platforms and using phishing tactics to steal personal and financial information.
Cybersecurity researchers have identified a campaign, codenamed Tusk, that involves Russian hackers using fake brand sites to spread malware like DanaBot and StealC. The campaign consists of several sub-campaigns that leverage the reputation of legitimate platforms to deceive users into downloading the malware through bogus sites and social media accounts.
According to Kaspersky researchers, all the active sub-campaigns host the initial downloader on Dropbox, which is responsible for delivering additional malware samples such as info-stealers (DanaBot and StealC) and clippers. The Tusk campaign is known to employ phishing tactics to deceive victims into sharing their personal and financial information, which is then sold on the dark web or used to gain unauthorized access to gaming accounts and cryptocurrency wallets.
Of the 19 sub-campaigns identified, three are currently active. These include TidyMe, which mimics peerme[.]io, RuneOnlineWorld, which impersonates an MMO game named Rise Online World, and Voico, which pretends to be an AI translator project called YOUS. Each sub-campaign uses a malicious downloader to distribute DanaBot and StealC malware, as well as clipper malware designed to monitor clipboard content and substitute wallet addresses for fraudulent transactions.
Overall, the Tusk campaign demonstrates the advanced capabilities of cybercriminals who are adept at impersonating legitimate brands to deceive victims. By exploiting the trust users place in well-known platforms, the attackers effectively deploy a range of malware to steal sensitive information, compromise systems, and achieve financial gain.
