VTA-004522 – Meeten Campaign Leverages Social Platforms to Deliver Malware to Crypto Users

A social engineering campaign is targeting cryptocurrency users, deploying malware to steal digital assets from Windows and macOS systems. Attackers impersonate AI, gaming, and Web3 startups using spoofed social media accounts and professional-looking documentation hosted on platforms like Notion and GitHub. The campaign, active since at least March 2024, leverages compromised, verified X accounts to lend legitimacy to fake companies, such as Eternal Decay (@metaversedecay), which uses altered images to appear credible.

The attack begins with messages on X, Telegram, or Discord, offering cryptocurrency payments to test software. Victims are directed to fraudulent websites to download malicious Windows Electron applications or macOS DMG files. On Windows, the app displays a fake Cloudflare verification while executing an MSI installer, likely deploying an information stealer. On macOS, the Atomic macOS Stealer (AMOS) extracts data from browsers and crypto wallets, establishing persistence via a Launch Agent and logging user interactions.

Darktrace researcher Tara Gould notes similarities with the Crazy Evil group, known for distributing StealC, AMOS, and Angel Drainer malware. The campaign’s use of legitimate platforms and evasive malware underscores its deceptive tactics.

Severity:
Medium

Attack Surface:
Online Fraud

Tactics:
Credential Access, Exfiltration, Initial Access

Techniques:
T1566.001: Phishing – Spearphishing Attachment
T1204.002: User Execution – Malicious File
T1071.001: Application Layer Protocol – Web Protocols
T1553.002: Subvert Trust Controls – Code Signing
T1547.001: Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder
T1003: Credential Dumping

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/6870031f8f6e65b11412fca6

References:
1. https://www.darktrace.com/blog/crypto-wallets-continue-to-be-drained-in-elaborate-social-media-scam

SuperPRO’s Threat Countermeasures Procedures:
1. Verify the authenticity of companies through official channels before downloading software.
2. Avoid clicking links or downloading files from unsolicited messages on social platforms.
3. Use endpoint protection to detect and block malicious installers and scripts.
4. Enable two-factor authentication on cryptocurrency wallets and accounts.
5. Regularly monitor accounts for unauthorized transactions or access.
6. Educate users about social engineering tactics and phishing red flags.

Contributed by: Hadi