Cybersecurity researchers are raising alarms about a new scam campaign that uses fake video conferencing apps to distribute an information stealer called Realst. This malware specifically targets Web3 professionals by posing as legitimate business meeting tools.
Cado Security researcher Tara Gould explained, “The threat actors behind this malware create fake companies, often using AI to boost their credibility. These fake companies then contact targets to arrange a video call, instructing them to download the meeting app from a website that, in reality, delivers the Realst infostealer.”
The security company has labeled this activity as “Meeten” due to the use of names like Clusee, Cuesee, Meeten, Meetone, and Meetio for the fraudulent websites.
The attack begins by approaching potential victims on Telegram with an enticing investment opportunity. To proceed, the attackers urge victims to join a video call hosted on one of the malicious platforms. When victims visit the site, the attackers prompt them to download either a Windows or macOS version of the app, depending on their operating system.
After installation on macOS, the app displays a message stating, “The current version of the app is not fully compatible with your version of macOS,” and requests the system password to function properly.
Attackers rely on an osascript technique, a method also used by macOS stealer families like Atomic macOS Stealer, Cuckoo, MacStealer, Banshee Stealer, and Cthulhu Stealer. Ultimately, the attack aims to extract sensitive data, including cryptocurrency wallet credentials, and send it to a remote server.
Moreover, the attackers designed the malware to steal additional information, including Telegram credentials, banking details, iCloud Keychain data, and browser cookies from platforms like Google Chrome, Microsoft Edge, Opera, Brave, Arc, Cốc Cốc, and Vivaldi.
The Windows version of the app uses a Nullsoft Scriptable Installer System (NSIS) file, signed with what seems to be a stolen legitimate signature from Brys Software Ltd. inside the installer, an Electron application fetches the stealer executable—a Rust-based binary—from an attacker-controlled domain.
Gould noted, “Threat actors are increasingly relying on AI to create content for their campaigns. AI allows them to quickly generate realistic website content that adds credibility to their scams and makes it harder to spot suspicious sites.”
This tactic of using fake meeting software to spread malware is not new. Back in March, Jamf Threat Labs uncovered a fake website, meethub[.]gg, which distributed stealer malware with similarities to Realst.
By June, Recorded Future documented another campaign, known as Markopolo, which targeted cryptocurrency users. This operation used fraudulent virtual meeting software to deploy stealers like Rhadamanthys, Stealc, and Atomic, enabling attackers to drain victims’ cryptocurrency wallets.
Meanwhile, the operators behind the Banshee Stealer macOS malware abruptly ceased their activities following the unexpected leak of their source code. Although the reasons behind the leak remain unknown, Banshee Stealer had been offered on cybercrime forums for a monthly fee of $3,000.
Simultaneously, new stealer malware families—such as Fickle Stealer, Wish Stealer, Hexon Stealer, and Celestial Stealer—have emerged. At the same time, users and businesses seeking pirated software or AI tools are being targeted with RedLine Stealer and Poseidon Stealer.
Kaspersky explained, “The attackers behind this campaign are focused on infiltrating organizations run by Russian-speaking entrepreneurs who depend on software to automate their business processes.”
Source: TheHackerNews
