Kaspersky uncovers Russian-led crypto & web3 fraud campaign

Kaspersky has detected an online fraud campaign aimed at stealing cryptocurrency and sensitive information by exploiting popular topics such as web3, crypto, AI, and online gaming. This campaign, believed to be orchestrated by Russian-speaking cybercriminals, utilises info-stealing and clipper malware to target individuals worldwide.

The cybercriminals behind this campaign, named 'Tusk' by Kaspersky, create fake websites mimicking legitimate services. Recent cases have involved sites that imitate a cryptocurrency platform, an online role-playing game, and an AI translator. Despite minor differences such as the name and URL, these sites appear polished and sophisticated, significantly increasing the likelihood of successful attacks.

"The correlation between different parts of this campaign and their shared infrastructure suggests a well-organised operation, possibly linked to a single actor or group with specific financial motives," said Ayman Shaaban, Head of the Incident Response Unit at Kaspersky's Global Emergency Response Team (GERT). Shaaban added that their Threat Intelligence Portal had identified infrastructure for 16 other topics, either as older, retired sub-campaigns or new ones not yet launched. "This demonstrates the threat actors' ability to swiftly adapt to trending topics and deploy new malicious operations in response. It underscores the critical need for robust security solutions and enhanced cyber literacy to protect against evolving threats," he emphasised.

Victims are lured into interacting with these fake setups through phishing schemes. The malicious websites are designed to deceive individuals into giving away sensitive information, such as crypto-wallet private keys, or downloading malware. The attackers can connect to the victim's cryptocurrency wallets via the fake site to drain funds or use info-stealing malware to obtain credentials and other valuable information.

In analysing the malicious code, Kaspersky discovered strings sent to the attackers' servers in Russian. The campaign was dubbed 'Tusk' to emphasise its focus on financial gain, drawing an analogy to mammoths hunted for their valuable tusks. The campaign spreads info-stealer malware such as Danabot and Stealc, as well as clippers like an open-source variant written in Go. Infostealers are designed to obtain sensitive information like credentials, while clippers monitor clipboard data to substitute copied cryptocurrency wallet addresses with malicious ones.

Malware loader files involved in the campaign are hosted on Dropbox. Upon downloading these files, victims are presented with user-friendly interfaces that conceal the malware. These interfaces prompt users to either log in, register, or remain on a static page while additional malicious files and payloads are automatically downloaded and installed on their systems.

To mitigate against Tusk-related cyberthreats, Kaspersky has outlined several measures. Individuals should check if their credentials have been compromised by infostealers and use comprehensive security solutions for their devices to prevent infections and receive alerts about potential dangers. They also recommend investing in cybersecurity courses to keep staff updated on the latest threats. Additionally, using secure password managers can help protect against info-stealing malware that targets passwords.