Hackers Exploiting Fake Video Conferencing Apps to Target Web3 Professionals

Cybersecurity experts have uncovered a sophisticated scam campaign using counterfeit video conferencing applications to deploy a data-stealing malware called Realst, specifically targeting Web3 professionals. These fake apps are disguised as legitimate meeting platforms and are used to lure victims under the pretense of business discussions.

Fake Companies and AI-Generated Legitimacy

According to Tara Gould, a researcher at Cado Security, the attackers have created fake companies using AI to bolster credibility. They approach victims with investment opportunities and schedule video calls through fake meeting platforms. Victims are directed to download these fraudulent apps, which serve as a delivery mechanism for the Realst malware.

Operation “Meeten” and Targeting Strategy

The campaign, codenamed Meeten, utilizes fake platforms with names like Clusee, Cuesee, Meeten, Meetone, and Meetio. Victims are often approached on Telegram and urged to join video calls hosted on these platforms. Depending on the user’s operating system, they are prompted to download a Windows or macOS version of the application.

Malware Behavior on macOS

When launched on macOS, the app displays a compatibility error message, claiming that the user needs to provide their system password for the app to function. This tactic leverages an osascript technique commonly used by macOS malware families such as Atomic macOS Stealer, Cuckoo, MacStealer, and others. The malware then proceeds to extract sensitive data, including cryptocurrency wallet credentials, Telegram accounts, iCloud Keychain data, and browser cookies from popular browsers like Google Chrome, Edge, Opera, Brave, and Vivaldi.

Windows Malware Delivery

The malicious installation for Windows is signed with a possible stolen certificate from Brys Software Ltd. and is constructed using the Nullsoft Scriptable installation System (NSIS). The installer embeds an Electron application, which fetches the Rust-based malware executable from an attacker-controlled server.

AI-Powered Scams

Gould highlighted that attackers increasingly use AI to create realistic and professional-looking websites, making their scams harder to detect. This strategy has been previously seen in campaigns leveraging fake meeting software like meethub[.]gg, which was used to distribute stealer malware with similarities to Realst.

Broader Malware Campaigns

In recent months, other stealer campaigns have been uncovered, targeting cryptocurrency users and organizations. For instance:

• A June campaign named markopolo used counterfeit virtual meeting apps to deploy stealers like Rhadamanthys, Stealc, and Atomic to siphon cryptocurrency.
• The Banshee Stealer operation ceased after its source code was leaked, despite its earlier availability on cybercrime forums for a $3,000 monthly subscription.
• New malware families have also surfaced, such as Wish Stealer, Celestial Stealer, and Fickle Stealer, which target users of AI tools and unlicensed software with payloads like RedLine and Poseidon Stealer.

Implications for Web3 Professionals

These advertisements demonstrate a growing interest in Web3 experts and Russian-speaking business owners, especially those who use software to optimize operations. These targeted attacks, which seek to obtain illegal access to organizational resources, have increased, according to security firms like Kaspersky.