Realst malware targets Web3 professionals using fake companies like “Meetio” with AI-generated content. Victims are lured into downloading malicious meeting apps during fake video calls.
Meeten Malware
Realst is a sophisticated crypto-stealing malware that has been targeting Web3 professionals for the past four months. Once the malware is installed, it steals sensitive information such as cryptocurrency wallet credentials and private keys.
The malware’s creators have employed advanced tactics, including the use of AI-generated content to create fake companies, like “Meetio,” to appear legitimate. By tricking victims into participating in video calls, cybercriminals convince them to download a malicious meeting application from compromised websites. This ongoing campaign highlights the increasing complexity of cyber threats within the Web3 space, posing significant risks to users involved in cryptocurrency and blockchain technology.
The threat actor, known by aliases like Meeten, Clusee, and Meetio, uses advanced social engineering tactics to trick victims into downloading malicious software. They create convincing fake company websites and social media profiles to appear legitimate.
By targeting specific individuals, they impersonate known contacts or exploit existing business relationships to set up calls. During the conversation, they persuade victims to download software under the pretense of legitimate business or Web3 projects. Once installed, the malware steals sensitive information, such as cryptocurrency wallet details, which can lead to significant financial loss.
The macOS malware, disguised as a legitimate app, uses social engineering to trick victims into installing it. Once executed, it silently steals sensitive data from browsers, wallets, and system credentials, then sends it to a remote server.
It also collects system info, which is sent to a command-and-control server for further analysis and potential future attacks.
Cado Security Labs found a Windows version of Meeten malware, named MeetenApp.exe, which uses a stolen signature from Brys Software. The installer runs an Electron app that collects system information (HWID, IP, hostname, OS, users, RAM, etc.) and sends it to a remote server.
Additionally, UpdateMC is a Rust-based malware that steals sensitive data, including Telegram credentials, banking info, browser data, and cryptocurrency wallet details. The stolen data is compressed into a ZIP file and sent to a specific IP address. To maintain persistence, it adds a registry key to run at startup.
Recent cyberattacks use AI to trick users into downloading malware disguised as legitimate Electron apps, with AI-generated content making fake websites hard to identify.
Attackers create convincing content to increase the success of their attacks.
To stay safe, users should be cautious with unsolicited messages, especially on platforms like Telegram, verify message sources, and avoid clicking on suspicious links.
IOCs
http://172[.]104.133.212:8880/new_analytics
http://172[.]104.133.212:8880/opened
http://172[.]104.133.212:8880/metrics
http://172[.]104.133.212:8880/sede
139[.]162[.]179.170:8080
deliverynetwork[.]observer/qfast/UpdateMC.zip
deliverynetwork[.]observer/qfast/AdditionalFilesForMeet.zip
www[.]meeten.us
www[.]meetio.one
www[.]meetone.gg
www[.]clusee.com
199[.]247.4.86
| File | md5 |
| CallCSSetup.pkg | 9b2d4837572fb53663fffece9415ec5a |
| Meeten.exe | 6a925b71afa41d72e4a7d01034e8501b |
| UpdateMC.exe | 209af36bb119a5e070bad479d73498f7 |
| MicrosoftRuntimeComponentsX64.exe | d74a885545ec5c0143a172047094ed59 |
| CluseeApp.pkg | 09b7650d8b4a6d8c8fbb855d6626e25d |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment