Cybercriminals have recently developed a malicious technique to target Web3 professionals, launching a malware campaign that employs fake business meetings via phishing video conferencing sites.
The malicious activity successfully compromises both Windows and Mac computers, enabling the theft of cryptocurrency and other sensitive digital assets. Security experts have exposed this alarming scam, which involves the deployment of an information stealer named Realst.
According to Cado Security researcher Tara Gould:
The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy. The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer.
The clever attack masquerades as regular business transactions, leading inexperienced Web3 individuals into an executed digital trap.
The “Meeten” campaign, which names itself after a well-known phrase for meeting software, has been running since September 2024. Available for both Windows and macOS, this malware is designed to steal private information, such as bank accounts, cryptocurrency assets, online browser data, and Mac Keychain credentials.
Fake startups frequently present themselves as legitimate by creating professional-looking websites and social media profiles, often populated with AI-generated content to boost their credibility.
These fake sites use phishing or social engineering techniques to trick victims into downloading a fake “meeting application.” In reality, the download contains the Realst malware.
Usually, threat actors approach potential victims with promising investment options on Telegram, where the attacks start. Then, using one of these fraudulent sites, they ask the targets to join a video conference.
Cybercriminals Use Malware-Laden Apps to Target Windows and macOS Users
The website asks users to download the “meeting app,” which is specific to their operating system (Windows or macOS). To steal sensitive data, the attackers lead the victims through the installation of the malware-filled program during the video conversation.
A particular warning appears when the software is installed on macOS: “The current version of the app is not fully compatible with your version of macOS”.
Users must input their system password to continue. This fake request makes use of an osascript method, which is often used by macOS stealer malware types such as Cuckoo, MacStealer, Banshee Stealer, Cthulhu Stealer, and Atomic macOS Stealer.
Extracting private information and sending it to a distant server is the main goal of the malware. Cryptocurrency wallets, Telegram login passwords, financial data, iCloud Keychain data, and browser cookies are among the targets. Browsers such as Google Chrome, Microsoft Edge, Opera, Brave, Arc, Cốc Cốc, and Vivaldi are among those affected.
A fake error message is displayed during the process, stating: “Cannot connect to the server. Please reinstall or use a VPN.” Meanwhile, the Realst malware silently exfiltrates sensitive data from the victim’s system.
The malware spreads via MeetenApp.exe, a Windows installation package that masquerades as legitimate software by using a stolen digital certificate. The installer contains an Electron app that conceals malicious code using complex compilation techniques to evade detection.
After installation, additional files, including the main malware payload and a system profiler, are downloaded from a remote server to facilitate further data theft.
Threat actors are increasingly using AI to create convincing material for scams. Meanwhile, recent attention on the technology has focused on its role to create malware.
Threat actors can create convincing website content via AI, which gives fraudulent campaigns more validity and makes it more difficult to identify fraudulent websites. This pattern highlights the increasing use of AI as a social engineering technique.
Experts recommend that users be on alert for business opportunities on Telegram. Verify accounts and avoid clicking on untrusted links, even from known contacts. If in doubt, confirm the link’s authenticity with the sender, preferably through a trusted communication channel.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
