Kaspersky Finds Tusk, An Active Crypto Asset Theft Campaign

JAKARTA - Kaspersky Global Emergency Response Team (GERT) has succeeded in detecting fraudulent campaigns targeting Windows and macOS users worldwide.

Nicknamed 'Tusk', Kaspersky sees this scam focused on financial gains, such as stealing crypto assets and personal information, by tricking victims with fake websites that mimic the designs of various legitimate services.

Victims will be persuaded to interact with these fake settings via phishing. The website is designed to trick individuals into providing sensitive information, such as the personal key to crypto wallets, or download malware.

The attackers can then connect to victims' crypto wallets via fake sites and drain their funds, or steal various credentials, wallet details, and other information using malware infostealers.

Kaspersky found strands in the malicious code that were sent to the attacker's server in Russian. The word Mammoth (rus. good luck good luck), the contemporary language used by Russian-speaking threat actors to refer to victims', appears in server communications and malware download files.

The campaign then spreads malware infostealers such as Danabot and Stealc, as well as clusters such as open source variants written in Go (mallware varies depending on the topic in the campaign).

Infostealer is designed to steal sensitive information such as credentials, while the clipper monitors thelipboard data. If the crypto wallet address is copied to the clipboard, the clipper replaces it with a malicious address.

The malware loading file is then hosted on Dropbox. Once the victim downloads it, they will encounter an easy-to-use interface that serves as a cover for malware, which asks them to log in, register, or stay on the static page.

Meanwhile, the remaining malicious files and charges will be downloaded and installed automatically into their systems.