Global infostealer malware operation targets crypto users, gamers
A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo."
The threat actors use a variety of distribution channels, including malvertising, spearphishing, and brand impersonation in online gaming, cryptocurrency, and software, to spread 50 malware payloads, including AMOS, Stealc, and Rhadamanthys.
According to Recorded Future's Insikt Group, which has been tracking the Marko Polo operation, the malware campaign has impacted thousands, with potential financial losses in the millions.
"Based on the widespread nature of the Marko Polo campaign, Insikt Group suspects that likely tens of thousands of devices have been compromised globally — exposing sensitive personal and corporate data," warns Recorded Future's Insikt Group.
"This poses significant risks to both consumer privacy and business continuity. Almost certainly generating millions of dollars in illicit revenue, this operation also highlights the negative economic effects of such cybercriminal activities."
Setting high-value traps
Insikt Group reports that Marko Polo primarily relies on spearphishing via direct messages on social media platforms to reach high-value targets such as cryptocurrency influencers, gamers, software developers, and other people likely to handle valuable data or assets.
Victims are lured into downloading malicious software by interacting with what they are tricked into believing are legitimate job opportunities or project collaborations.
Some of the brands that are impersonated include Fortnite (gaming), Party Icon (gaming), RuneScape (gaming), Rise Online World (gaming), Zoom (productivity), and PeerMe (cryptocurrency).
Marko Polo also uses its own made-up brands not related to existing projects, like Vortax/Vorion and VDeck (meeting software), Wasper and PDFUnity (collaboration platforms), SpectraRoom (crypto communications), and NightVerse (web3 game).
In some cases, the victims are led to a website for fake virtual meeting, messaging, and game applications, which are used to install malware. Other campaigns distribute the malware through executables (.exe or .dmg) in torrent files.
Hitting both Windows and macOS
Marko Polo's toolkit is diverse, showing the threat group's capability to carry out multi-platform and multi-vector attacks.
On Windows, HijackLoader is used for delivering Stealc, a general-purpose lightweight info-stealer designed to collect data from browsers and crypto wallet apps, or Rhadamanthys, a more specialized stealer that targets a broad range of applications and data types.
In a recent update, Rhadamanthys added a clipper plugin capable of diverting cryptocurrency payments to the attackers' wallets, the ability to recover deleted Google Account cookies, and Windows Defender evasion.
When the target uses macOS, Marko Polo deploys Atomic ('AMOS'). This stealer launched in mid-2023, rented to cybercriminals for $1,000/month, allowing them to snatch various data stored in web browsers.
AMOS can also brute-force MetaMask seeds and steal Apple Keychain passwords to get hold of WiFi passwords, saved logins, credit card data, and other encrypted information stored on macOS.
Malicious campaigns involving information-stealing malware have seen massive growth over the years, with threat actors targeting victims through zero-day vulnerabilities, fake VPNs, fixes to GitHub issues, and even answers on StackOverflow.
These credentials are then used to breach corporate networks, conduct data theft campaigns like we saw with the massive SnowFlake account breaches, and cause chaos by corrupting network routing information.
To mitigate the risk of downloading and running infostealer malware on your system, do not follow links shared by strangers and only download software from the official project websites.
The malware used by Marko Polo is detected by most up-to-date antivirus software, so scanning downloaded files before executing them should disrupt the infection process before it starts.
Comments