June 20, 2024 at 12:01PM
A widespread campaign is targeting cryptocurrency users through fake virtual meeting software, Vortax, delivering infostealing malware such as Rhadamanthys, Stealc, and Atomic. The threat actor “Markopolo” is linked to this campaign, posing as a legitimate software company but actually engaging in credential harvesting. This campaign highlights an increased focus on macOS infostealers, requiring organizations to implement robust defense strategies and educate users about the risks associated with unapproved software.
The meeting notes detail a widespread campaign aimed at stealing cryptocurrency through the distribution of infostealers via fake virtual meeting software for macOS and Windows platforms. The fake app, Vortax, is being used as a delivery mechanism for three infostealers: Rhadamanthys, Stealc, and Atomic, with a particular emphasis on targeting cryptocurrency users through social media and messaging channels.
The threat actor responsible for the campaign, dubbed “Markopolo,” has been attributed to an elaborate Web and social media presence for Vortax, presenting it as a legitimate virtual meeting software across various platforms. The campaign has been identified as a widespread credential-harvesting operation, potentially positioning Markopolo as an initial access broker on Dark Web shops.
Furthermore, the campaign indicates an increase in macOS-targeted infostealers, particularly the Atomic stealer, which has seen an uptick in activity according to recent research. Insikt Group suggests several mitigation strategies, including regular updates to detection systems for the Atomic infostealer, educating users on the risks of downloading unapproved software, implementing strict security controls, and monitoring platforms that scan for malicious domains and IP addresses associated with macOS malware.
It’s important for organizations to be vigilant against these threats, particularly on the macOS platform, and take proactive measures to prevent infections and protect their networks and users from these malicious activities.