Russian threat actors are rampant game developer There is a fraudulent Web3 gaming project that drops multiple variants of information stealers on both MacOS and Windows devices.
According to Recorded Future’s Insikt Group, which discovered the malicious activity, the ultimate goal of the campaign appears to be to trick victims into stealing their cryptocurrency wallets.
The large-scale Russian-language campaign imitates legitimate projects by slightly changing the project name and branding, and even goes so far as to create multiple fake social media accounts to make the project appear authentic. It is said that there is. report Published online.
In this attack, the project’s main web page provides or links to installation files for “gaming” software, ostensibly intended for use by developers.However, these files instead deliver either Atomic macOS Stealer For Intel or ARM based devices. Rhadamanthys; RisePro or RisePro is used depending on the victim’s operating system.
“The targeted nature of this campaign suggests that attackers may perceive Web3 gamers to be more severely vulnerable to social engineering due to the expected trade-offs in cyber hygiene. This suggests that Web3 gamers may have less protection against cybercrime.”
The profits come in the form of cryptocurrencies, as attackers primarily target developers’ crypto wallets with the intention of compromising them. Web3 games refer to online games such as Axie Infinity and MixMob that are built on blockchain technology and can provide financial benefits to players by winning various cryptocurrencies.
According to Insikt Group, “Wallet compromise remains the number one threat to both Web3 and cryptocurrency security, so we believe that wallet compromise is likely the end goal of this campaign.” About. The report said attackers could use credentials collected from malicious activity “for a range of unauthorized account accesses.”
In fact, the report outlines several social media reports of game developers falling victim to fraud and having their crypto wallets depleted, including approximately 2.5 Ethereum, or approximately 8,000 This includes developers who have lost dollars.
Setting a trap by impersonation
Attack campaigns are carried out in the form of so-called “traps”. Phishing” allows a malicious attacker to clone and deploy a similar Web3 project.
In January, Web3 smart contract auditing agency CertiK reported on a project called “Astration” that used fake job postings and non-fungible token NFT services to lure game developers into trap-phishing campaigns and spread information theft. After clarification, Insikt researchers began investigating the malicious activity.
This fraudulent project has cloned and recreated nearly all social media accounts associated with a legitimate project called Alteration, reposting social media content from legitimate accounts, establishing a direct copy of the project’s Discord server, and This included the delivery of various types of malware.
After further investigation, Insikt discovered five more fraudulent gaming projects. Three of them served malicious files that communicated with the same command and control (C2) servers obtained from the Astration project. Additionally, two were no longer active but were found to be similar to active scams. The game names said to be associated with active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while the games associated with inactive projects were Crypterium World and Myth Island.
Overall, threat actors are running campaigns through “resilient infrastructure,” Insikt said, allowing them to quickly adapt by rebranding or shifting their focus to detection. It has become.
Stay vigilant to reduce risk
Mr. Insikt emphasized the need for both individuals and organizations to maintain constant vigilance against threats and adopt mitigation strategies against campaigns that use phishing as the initial point of entry. To this end, the group proposed a number of mitigation measures in its report, as well as included a list of indicators of compromise.
The first is to provide comprehensive training to users (particularly those in Web3 gaming and related industries) to recognize social engineering tactics related to trap phishing. The report says game developers in particular need to “scrutinize the legitimacy of Web3 projects promoted on social media.”
Organizations should also educate users about the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of a project website before installation.
Endpoint protection solutions updated with the latest threat intelligence, including antivirus software that can detect and block known information thieves Atomic, Stealc, Rhadamanthysand rise pro — It also helps organizations avoid breaches.
According to Insikt, organizations should also deploy multi-platform security measures such as firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions to prevent malware infections across both macOS and Windows devices. .
