Cado Security Labs has identified a Realst information thief who uses a fake conferencing app to steal crypto wallets and inject malware. The scammers trick Web3 workers into downloading the app. The apps are called Meeten, Meetio, Meeten.gg, Meeten.us, Meetone.gg, Cluesee.com, Cuesee, etc. and frequently change names.

Threat actors use AI to generate and fill out blogs, websites, and social media accounts on X and Medium to appear as legitimate businesses before contacting the target and encouraging them to download the app.

Once downloaded, the malware searches for sensitive information such as bank card details, Telegram logins, and information about crypto wallets (especially Ledger, Trezor, Phantom, and Binance wallets) and sends it back to the attacker. It can also retrieve browser cookies and autofill credentials from Google Chrome, Microsoft Edge, Opera, Brave, Arc, CocCoc, and Vivaldi.

One user was contacted by someone impersonating an acquaintance, who sent the target a presentation from the target's company about an investment. Other users have reported being on calls related to web3 works and being instructed to download software.

AI is also increasingly being used to generate content for malware campaigns; according to Tara Gould, Threat Research Lead at Cado Security Labs, “By using AI, threat actors can add legitimacy to their scams and make suspicious websites more difficult to detect. . can quickly create realistic website content that adds legitimacy to the scam and makes it more difficult to detect suspicious websites.”

These fake websites, which encourage victims to download malware instead of legitimate software, also include JavaScript that steals cryptographic wallets stored in the web browser, before the malware is installed. cado According to Paul Scott, Solutions Engineer at Security, “When a user visits a malicious website with the wallet unlocked in the browser, the JavaScript on the site automatically checks for the presence of an unlocked wallet. checks and attempts to transfer cryptocoins to a wallet controlled by the attacker”.

The campaign has been active for at least four months, has both macOS and Windows variants, and appears to be a variant of Realst infostealer, which was first discovered in 2023 by security researcher iamdeadlyz.

Researchers advise users to be careful, especially if contacted about business opportunities via Telegram. Even if the contact appears to be an existing known contact, it is essential to verify the account. Always be cautious when opening links.

Never open anything from an unknown or unexpected party. If you receive a link, contact the sender and ask if they sent the link and why. If they send you something on Telegram and you normally communicate with them on Slack, contact them on the platform where you normally discuss business.

Ensure that you are using the best antivirus software and that it is up-to-date. Make sure you are using the best antivirus software and that it is up-to-date and current, or one of the best VPNs that includes browser-level threat protection.