Threat Research

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

CadoSecurity
Summary:
Cado Security Labs has uncovered a sophisticated scam targeting Web3 professionals, involving a crypto stealer named Realst. The threat actors create fake companies and websites using AI-generated content to lure victims into downloading malicious software. This campaign has been active for about four months, with the malware capable of stealing sensitive information from both macOS and Windows systems.
#Web3Scam #CryptoTheft #AIInCybercrime
Keypoints:

  • New scam targeting Web3 professionals identified by Cado Security Labs.
  • Malware named Realst has variants for both macOS and Windows.
  • Threat actors use AI to create fake companies and websites for legitimacy.
  • Victims are tricked into downloading the Meeten application, which is an information stealer.
  • Scammers impersonate known contacts to initiate communication via Telegram.
  • Malware exfiltrates sensitive data such as cryptocurrency credentials and banking information.
  • Persistence mechanisms include registry key modifications on Windows systems.
  • AI-generated content increases the difficulty of detecting suspicious websites.
  • Users are advised to verify sources and be cautious when approached about business opportunities.
    • MITRE Techniques:

  • User Execution (T1204): Users are tricked into executing malicious software.
  • Credentials From Password Stores: Keychain (T1555.001): Stealing credentials stored in the macOS Keychain.
  • Credentials From Password Stores: Credentials from Web Browsers (T1555.003): Extracting stored credentials from web browsers.
  • Steal Web Session Cookie (T1539): Capturing web session cookies for unauthorized access.
  • Browser Information Discovery (T1217): Gathering information about the user’s browser.
  • System Information Discovery (T1082): Collecting system information for profiling the victim.
  • System Network Configuration Discovery (T1016): Discovering network configurations of the system.
  • System Owner/User Discovery (T1033): Identifying the owner or user of the system.
  • Data from Local System (T1005): Accessing data stored locally on the system.
  • Local Data Staging (T1074): Preparing data for exfiltration.
  • Exfiltration Over C2 Channel (T1041): Sending stolen data to a command and control server.
  • Financial Theft (T1657): Stealing financial information from victims.
  • File Deletion (T1070.004): Deleting files to cover tracks.
  • Subvert Trust Controls: Gatekeeper Bypass (T1553.001): Bypassing macOS Gatekeeper protections.
  • Subvert Trust Controls: Code Signing (T1553.002): Using stolen code signing certificates to appear legitimate.
  • Boot or Logon Autostart Execution: Registry Run Folder (T1547.001): Adding entries to the registry for persistence.
  • Virtualization/Sandbox Evasion: System Checks (T1497.001): Performing checks to evade detection in virtualized environments.
  • Command and Scripting Interpreter: Powershell (T1058.001): Utilizing PowerShell for executing scripts.
  • Network Configuration Discovery (T1016): Discovering network configurations for further exploitation.
  • System Service Discovery (T1007): Identifying system services for potential vulnerabilities.
    • IoC:

  • [url] http://172[.]104.133.212:8880/new_analytics
  • [url] http://172[.]104.133.212:8880/opened
  • [url] http://172[.]104.133.212:8880/metrics
  • [url] http://172[.]104.133.212:8880/sede
  • [ip address] 139.162.179.170:8080
  • [url] deliverynetwork[.]observer/qfast/UpdateMC.zip
  • [url] deliverynetwork[.]observer/qfast/AdditionalFilesForMeet.zip
  • [domain] www[.]meeten.us
  • [domain] www[.]meetio.one
  • [domain] www[.]meetone.gg
  • [domain] www[.]clusee.com
  • [ip address] 199.247.4.86
  • [file name] CallCSSetup.pkg
  • [file hash] 9b2d4837572fb53663fffece9415ec5a
  • [file name] Meeten.exe
  • [file hash] 6a925b71afa41d72e4a7d01034e8501b
  • [file name] UpdateMC.exe
  • [file hash] 209af36bb119a5e070bad479d73498f7
  • [file name] MicrosoftRuntimeComponentsX64.exe
  • [file hash] d74a885545ec5c0143a172047094ed59
  • [file name] CluseeApp.pkg
  • [file hash] 09b7650d8b4a6d8c8fbb855d6626e25d

    • Full Research: https://www.cadosecurity.com/blog/meeten-malware-threat

    Tags: CRYPTO, FINANCIAL, PERSISTENCE, DISCOVERY, SCAM, WINDOWS, BROWSER, EXFILTRATION

    Check this following Post also