A recent malicious campaign targeting cryptocurrency users has been linked to a threat actor known as markopolo, who is behind a large-scale cross-platform scam involving the Vortax malware.
Description
Victims are tricked into visiting a website and entering a Room ID to download the Vortax application [3], which then installs Rhadamanthys on Windows and StealC on macOS, along with the rare macOS infostealer AMOS [2]. The Vortax app [3], although non-functional, runs malicious processes in the background to steal information [3]. This campaign is connected to other malicious applications like VDeck and Mindspeak, likely operated by the same threat actor [3] [6]. Markopolo maintains a Medium blog and a verified account on X to legitimize Vortax on social media [4]. The threat actor uses shared hosting and C2 infrastructure for all builds [4], indicating an agile campaign that quickly adapts to new lures [4]. Additionally, cybercriminals are exploiting cloud storage services to host static websites with spam URLs to deceive users into providing personal and financial information [4]. Detecting and blocking these URLs poses an ongoing challenge due to their association with legitimate domains of reputable companies [4]. The attack chains involve the use of a virtual meeting software named Vortax and other apps to deliver Rhadamanthys [1] [4], StealC [1] [3] [4] [5] [6], and the rare macOS infostealer AMOS [2]. This campaign signifies a significant rise in macOS security threats and reveals a network of malicious applications [1]. The malicious operation attempts to legitimize Vortax on social media and the internet [1], with the actors maintaining a dedicated Medium blog and a verified account on X [1] [4]. Victims are required to provide a Room ID to download the booby-trapped application [1] [4], which leads to the deployment of the stealer malware [1] [4] [5]. Markopolo leverages shared hosting and C2 infrastructure for all builds [1] [4], suggesting an agile campaign strategy [1] [4].
Conclusion
This malicious campaign targeting cryptocurrency users highlights the need for increased vigilance and security measures to protect against evolving cyber threats. Mitigating the risks posed by threat actors like markopolo requires a coordinated effort from cybersecurity professionals and organizations. The use of shared hosting and C2 infrastructure by the threat actor underscores the importance of monitoring and blocking suspicious activities. As cybercriminals continue to exploit cloud storage services and legitimate domains for malicious purposes, it is crucial for users to exercise caution and verify the authenticity of websites and applications before providing any sensitive information. The rise in macOS security threats and the network of malicious applications uncovered in this campaign serve as a reminder of the ever-present dangers in the digital landscape, emphasizing the need for ongoing cybersecurity awareness and proactive defense strategies.
References
[1] https://www.redpacketsecurity.com/warning-markopolo-s-scam-targeting-crypto-users-via-fake-meeting-software/
[2] https://www.infosecurity-magazine.com/news/meeting-software-macos-infostealer/
[3] https://www.helpnetsecurity.com/2024/06/19/cryptocurrency-malware/
[4] https://thehackernews.com/2024/06/warning-markopolos-scam-targeting.html
[5] https://rhyno.io/blogs/cybersecurity-awareness-training/markopolos-crypto-scam-via-fake-meeting-software/
[6] https://cyber.vumetric.com/security-news/2024/06/19/clever-macos-malware-delivery-campaign-targets-cryptocurrency-users/
