Kaspersky GERT uncovered a complex, multi-subcampaign operation by Russian-speaking criminals named “Tusk,” which disguises malicious infrastructure as legitimate projects to distribute infostealers, clippers, and other malware via phishing. The findings show three active subcampaigns (and 16 inactive ones), use of social engineering and Dropbox hosting for downloaders, anti-analysis CAPTCHA, and targeted theft of cryptocurrency wallets and credentials. #Tusk #Danabot #StealC #Mammoth #Dropbox #Captcha #HijackLoader #TidyMe #RuneOnlineWorld #Voico #cryptocurrency
Keypoints
- Complex, organized campaign identified by Kaspersky GERT, conducted by Russian-speaking actors.
- Multiple subcampaigns imitate legitimate projects to lure victims.
- Malware includes infostealers (Danabot, StealC) and clipper malware.
- Phishing is used to persuade users to reveal credentials and other data.
- Three active subcampaigns and 16 inactive ones; all active ones use Dropbox for initial downloaders.
- CAPTCHA-based anti-analysis measures are used to hinder automated sandboxes.
- Threat actors collect sensitive data, including cryptocurrency wallet information, for financial gain.
MITRE Techniques
- [T1566.001] Phishing – “Phishing to gain initial access to victims’ systems.” – ‘Phishing to gain initial access to victims’ systems.’
- [T1105] Ingress Tool Transfer – Downloading the initial downloader hosted on Dropbox. – ‘The active sub-campaigns host the initial downloader on Dropbox.’
- [T1053.005] Scheduled Task – Persistence via creating scheduled tasks. – ‘Creating scheduled tasks for persistence.’
- [T1555.003] Credentials from Web Browsers – Stealing credentials from browsers and applications. – ‘Stealing credentials from browsers and applications.’
- [T1119] Automated Collection – Collecting sensitive information including cryptocurrency wallet addresses. – ‘Collecting sensitive information including cryptocurrency wallet addresses.’
- [T1041] Exfiltration – Sending stolen data to C2 servers. – ‘Sending stolen data to command and control (C2) servers.’
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis via CAPTCHA to prevent execution in automated tools. – ‘No malicious activities will be carried out until the victim passes the CAPTCHA check, suggesting that the threat actors added it to prevent execution using automatic dynamic analysis tools.’
Indicators of Compromise
- [URL/Domain] – Campaign infrastructure and downloaders hosted on Dropbox and various malicious URLs. Example: tidyme.io, testload.pythonanywhere.com/getbytes/f
- [IP Address] – StealC C2 servers and download infrastructure. Examples: 46.8.238.240, 23.94.225.177
- [Domain] – Campaign main domains: tidyme.io, tidyme.app, runeonlineworld.io, voico.io
- [SHA256 Hash] – Sample malicious and loader components. Examples: 0D877B9163241E6D2DF2779D54B9EDA8ABC909F022F5F74F084203134D5866E2, 142B8D0080DB24246615059E4BADF439F68C2B219C68C7AC7F4D2FC81F5BB9C2
- [Wallet Address] – Cryptocurrency addresses used in the campaign. Examples: BTC 1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo, BTC bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0, ETH 0xaf0362e215Ff4e004F30e785e822F7E20b99723A
- [File/Module] – Malicious and legitimate DLL/EXE components used in payloads. Examples: madHcCtrl.exe, madHcNet32.dll, wickerwork.indd, unrar.dll
- [DNS/MX Record] – DNS records related to campaign domains. Example: _dc-mx.bf442731a463.tidyme.io
Read more: https://securelist.com/tusk-infostealers-campaign/113367/