Tusk, A Massive infostealer campaign Attacking Windows Users to Steal Logins

A malicious website, tidyme.io, impersonates peerme.io, a legitimate platform for DAO creation on the MultiversX blockchain, by tricking victims into downloading malware by replacing the “Create your team now” button with a “Download” button. 

Clicking the button sends user-agent data to the server, which then delivers the appropriate malware version for the victim’s OS (Windows in this case). 

The malware is hosted on Dropbox and bypasses automatic analysis tools with a CAPTCHA challenge. Once bypassed, it downloads and executes additional malicious files. The website also attempts to steal cryptocurrency by prompting users to connect their wallets. 

CAPTCHA form

The TidyMe downloader, tidyme.exe, retrieves configurations from a config.json file containing base64-encoded URLs for archive and byte data downloads. 

It then calls two functions: downloadAndExtractArchive and loadFile. downloadAndExtractArchive retrieves the archive URL, decodes it, downloads the RAR file, extracts it with a password from the config file, and executes all extracted .exe files. 

loadFile retrieves the bytes URL, decodes it, sends a GET request, writes the response data as a new .exe file, appends extra bytes to it, and then executes it. Both functions send logs to the C2 server at hxxps://tidyme.io/api.php using HTTP POST requests.

Main interface for TidyMe.exe

Malicious programs like updateload.exe and bytes.exe use HijackLoader to bypass security measures and inject code into legitimate processes like cmd.exe and explorer.exe. 

This injected code ultimately delivers a variant of the StealC infostealer, which gathers a significant amount of information from the infected system, including hardware IDs, software versions, network details, usernames, screenshots, and process lists. 

The malware then communicates with a command and control server to receive further instructions on what specific data to steal from web browsers, browser extensions, and potentially cryptocurrency wallets. 

Second sub-campaign: malicious and original sites

RuneOnlineWorld campaign employs a multi-staged attack. An initial downloader, disguised as a login page, exfiltrates credentials and downloads subsequent payloads. 

The first payload leverages HijackLoader to inject malicious code into system processes, downloading and executing additional malware from multiple C2 servers. 

The second payload further employs HijackLoader to inject code into multiple processes, ultimately downloading encrypted files and creating a scheduled task for persistence, demonstrating advanced evasion and delivery techniques. 

Initial downloader routine: RuneOnlineWorld.exe

The report by Secure List describes a multi-stage malware campaign that utilizes social engineering and exploits trust in well-known platforms to target both Windows and macOS environments. 

It leverages Electron applications to deliver the initial downloader, which then retrieves the appropriate platform-specific payload by employing HijackLoader to extract and execute the final payload, which is clipper malware written in GO. 

This clipper monitors the clipboard, replaces copied cryptocurrency wallet addresses with a malicious one controlled by the attackers, and infects systems with infostealers to steal credentials and software-based cryptocurrency wallets. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here