A recent campaign targeting cryptocurrency users has been making waves by spreading infostealers through fake virtual meeting software on both macOS and Windows platforms, with a particular focus on macOS using the dangerous Atomic stealer. Discovered by Recorded Future’s Insikt Group, the campaign is attributed to a threat actor named “Markopolo” and involves a fake app called Vortax, which serves as a delivery mechanism for three infostealers: Rhadamanthys, Stealc, and Atomic.
According to a report published by Insikt this week, attackers use Vortax to target cryptocurrency users through social media and Telegram channels in order to steal their credentials and ultimately siphon off their crypto assets. The campaign is linked to a previous attack by Markopolo against the Web3 gaming community, showcasing the group’s agility in using shared hosting and command-and-control infrastructure to pivot to new scams when necessary.
Insikt Group highlighted the increase in infostealers targeting macOS platforms, a domain that has traditionally seen fewer threats compared to its Windows counterpart. The rise of the Atomic stealer, in particular, has been noted in recent research, indicating a shift towards targeting macOS users by threat actors.
Furthermore, the campaign revolving around Vortax, the fake virtual meeting software, builds its foundation on a convincing online brand presence that includes social media accounts, a Medium blog, and a supposed Toronto-based company address that turned out to be fraudulent. The software claims to be available for multiple platforms but requires a “Room ID” for download, which is essentially a ploy to deliver malware under the guise of legitimate software.
Insikt provided recommendations for mitigating the campaign, especially on the macOS platform, which is increasingly becoming a target for malicious actors. One suggested mitigation is to ensure that detection systems for the Atomic infostealer are continually updated to prevent infections. Additionally, organizations are advised to educate users about the risks of downloading unapproved software, implement strict security controls, and encourage reporting of suspicious activities encountered on social media and other platforms.
Intelligence and monitoring platforms that scan for malicious domains and IP addresses associated with the Atomic stealer and other macOS malware can also play a significant role in preventing infections. By staying vigilant and implementing robust defense strategies, users and organizations can mitigate the risks posed by malware-hiding software and protect themselves from falling victim to malicious campaigns like the one orchestrated by Markopolo.