A sophisticated information stealer campaign known as Tusk [2] [3] [4], orchestrated by Russian-speaking cybercriminals [1] [2] [3] [4], impersonates legitimate brands to distribute malware like DanaBot and StealC [2] [3] [4].

Description

The sub-campaigns within Tusk leverage the reputation of platforms to trick users into downloading malware using bogus sites and social media accounts [2], with the initial downloader hosted on Dropbox [2]. These campaigns employ phishing tactics to deceive victims into providing personal and financial information [2], which is then sold on the dark web or used for unauthorized access to gaming accounts and cryptocurrency wallets [1] [2]. The malware is designed to steal sensitive information and perform fraudulent transactions. Three active sub-campaigns have been identified within Tusk: TidyMe [1], RuneOnlineWorld [1] [2], and Voico [2]. TidyMe mimics peerme(.)io to distribute malicious programs for Windows and macOS systems [1], while RuneOnlineWorld uses a fake website simulating an MMO game to distribute DanaBot and StealC [1], along with a clipper malware that monitors and replaces copied wallet addresses [1]. Voico mimics an AI translation project to spread an initial downloader that collects victim credentials [1]. The threat actors behind Tusk demonstrate advanced capabilities in social engineering techniques and multistage malware delivery mechanisms [2] [4], exploiting the trust users place in well-known platforms to achieve financial gain [4]. The StealC malware used in these campaigns communicates with different command and control servers [1], highlighting the advanced capabilities of the cybercriminals involved [1].

Conclusion

The Tusk campaign poses a significant threat to individuals and organizations, as it demonstrates the evolving tactics and techniques used by cybercriminals to steal sensitive information and conduct fraudulent activities. It is crucial for users to remain vigilant and implement strong security measures to protect against such sophisticated attacks. Additionally, collaboration between law enforcement agencies and cybersecurity experts is essential to combat these cyber threats effectively and safeguard digital assets.

References

[1] https://www.ruetir.com/2024/08/16/danabot-and-stealc-malware-campaign-coming-from-russia/
[2] https://vulners.com/thn/THN:36D6D1B81544FEA369E4D58E4C80A76E
[3] https://news.backbox.org/2024/08/16/russian-hackers-using-fake-brand-sites-to-spread-danabot-and-stealc-malware/
[4] https://thehackernews.com/2024/08/russian-hackers-using-fake-brand-sites.html