Numerous websites spoofing legitimate brands have been used by Russian cybercriminals to distribute information-stealing malware as part of the massive Tusk attack campaign, The Hacker News reports.
Nearly 20 sub-campaigns have been part of Tusk, three of which remain active and leverage a Dropbox-hosted initial downloader to facilitate infostealer infections and personal and financial information compromise, an analysis from Kaspersky revealed. Intrusions part of the TidyMe sub-campaign involved the utilization of a tidyme[.]io-hosted site impersonating peerme[.]io, which seeks a click to download a malicious Electron app, which would deploy the Hijack Loader and deliver a StealC payload variant, noted the report. On the other hand, both StealC and DanaBot infostealers, as well as a Go-based clipper malware, were spread in the RuneOnlineWorld sub-campaign that involved the spoofing of the popular Rise Online World game. Attackers also sought to spread StealC in the Voico sub-campaign, which involved the impersonation of the artificial intelligence translator project YOUS. "The campaigns [...] demonstrate the persistent and evolving threat posed by cybercriminals who are adept at mimicking legitimate projects to deceive victims. The reliance on social engineering techniques such as phishing, coupled with multistage malware delivery mechanisms, highlights the advanced capabilities of the threat actors involved," said Kaspersky researchers.
