A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets. Users are tricked into installing software that deploys information-stealing malware on devices that can be used to steal passwords, authentication cookies, and wallets from the compromised computer. Cybersecurity researcher g0njxa, who has been tracking these threat actors, told BleepingComputer that the GrassCall website is a clone of a "Gatherum" website used in a previous campaign. "Gatherum is a self-proclaimed AI-enhanced virtual meeting software that is primarily advertised on social media (@GatherumAI) and an AI-generated Medium blog (medium[.]com/@GatherumApp)," explains a Recorded Future report on the Crazy Evil cybercriminals. Cybersecurity researcher MalwareHunterTeam, who has also been tracking these campaigns, told BleepingComputer that Crazy Evil has launched a new campaign pretending to be an NFT blockchain game called Mystix. Like other campaigns by these threat actors, the game targets those in the crypto space and utilizes similar malware to steal cryptocurrency wallets. "If a wallet is found, passwords are bruteforced and assets drained, and a payment is issued to the user who made the victim download the fake software," the researcher told BleepingComputer. When executed, the malware will attempt to steal files based on keywords, cryptocurrency wallets, passwords stored in Apple Keychain, and passwords and authentication cookies stored in web browsers. A Telegram group has been created to discuss the attack and for those impacted to help each other remove the malware infections from Mac and Windows devices. When contacted, the fake CMO would tell the target that they needed to download a video meeting software called "GrassCall" using the included website and code. The researcher says these websites are utilized as a part of social engineering attacks conducted by a Crazy Evil subgroup known as "kevland," which is also described in a report by Recorded Future. This group conducts social engineering attacks to trick users into downloading malicious software on their Windows and Mac devices. The researcher says the payment information for Crazy Evil members is publicly posted to Telegram, revealing that members of this operation can make tens, if not hundreds, of thousands of dollars for each victim they successfully drain. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. This cybercrime group is known for targeting users in the cryptocurrency space, where they promote fake games or job opportunities over social media.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Feb 2025 23:30:13 +0000