A sophisticated Russian-speaking cybercriminal operation named Tusk comprises three active subcampaigns that impersonate legitimate projects to spread malware (including Danabot and StealC) and to steal credentials and wallet access. Attackers use phishing and Dropbox-hosted droppers to collect sensitive data and potentially monetize it in the dark web. Hashtags: #Tusk #Danabot #StealC #TidyMe #RuneOnlineWorld #Voico #Dropbox #MultiversX
Keypoints
- Identified a complex campaign by Russian-speaking cybercriminals named Tusk with three active subcampaigns.
- Subcampaigns TidyMe, RuneOnlineWorld, and Voico imitate legitimate projects to build victim trust.
- Initial loaders are hosted on Dropbox and delivered via phishing to steal data.
- Malware families include Danabot and StealC stealers and a clipboard stealer; victims’ confidential data and wallets may be exfiltrated or sold on the dark web.
- The campaign employs advanced social engineering and multi-stage distribution, including CAPTCHA-based checks to hinder automated analysis.
- Infrastructure links and relationships show a connected network of domains and IPs across campaigns, with 16 inactive subcampaigns observed.
MITRE Techniques
- [T1566] Phishing – “Using phishing to obtain confidential information from users.”
- [T1003] Credential Dumping – “Collection of credentials from browsers and other sources.”
- [T1213] Data from Information Repositories – “Data collected from wallet apps and browsers.”
- [T1105] Remote File Copy – “Downloading malicious files from remote servers (Dropbox).”
- [T1055] Process Injection – “Injecting malicious code into legitimate processes (e.g., explorer.exe).”
- [T1071] Command and Control – “Exchanging data with a command server to obtain configuration and load additional files.”
Indicators of Compromise
- [Domain] Campaign infrastructure domains – tidyme.io, tidymeapp.io, tidyme.app, runeonlineworld.io, voico.io, and other related domains (e.g., astrosounsports.shop, partyroyale.fun, etc.)
- [URL] Primary dropper and loader delivery links – https://www.dropbox.com/scl/fi/cw6jsbp981xy88tzk3obm/updateload.rar?rlkey=87g969em599vnoslcglyo97fa&st=1p7dopsl&dl=1, https://www.dropbox.com/scl/fi/gvlceblluk9thfijhywu2/update.rar?rlkey=ch37ht5fdklng66t04r8h8kaa&st=sddqqvhz&dl=1
- [URL] Test and fetch endpoints used by loaders – testload.pythonanywhere.com/getbytes/f, testload.pythonanywhere.com/getbytes/m, testload.pythonanywhere.com/getbytes/s
- [Hash] Malware file hashes – MD5: B42F971AC5AAA48CC2DA13B55436C277; SHA256: C990A578A32D545645B51C2D527D7A189A7E09FF7DC02CEFC079225900F296AC
- [URL] Command-and-control and data-exfiltration endpoints – https://tydime.io/api.php
- [Wallet] Crypto-wallet addresses observed in the clipboard stealer – BTC: 1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo, bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0, ETH: 0xaf0362e215Ff4e004F30e785e822F7E20b99723A
Read more: https://securelist.ru/tusk-infostealers-campaign/110460/