A sophisticated cyberattack campaign is now targeting those in the Web3 sector through a phony video conferencing platform, affecting both Windows and macOS systems with malicious software designed to steal cryptocurrency.

The "Meeten" Campaign

Identified by Cado Security Labs, this cyber threat has been named "Meeten" after the deceptive meeting app used in the campaign, which began in September 2024. The malware specifically aims to exfiltrate cryptocurrency, banking information, and sensitive credentials stored on web browsers and Mac Keychains.

Evolving Threat

Cado Security Labs reports that the attackers frequently change the app names and branding, previously using aliases such as "Clusee," "Cuesee," "Meetone," and "Meetio." These false identities are supported by formal-looking websites and social media profiles, often using AI-generated content to seem authentic.

Infection Process and Mechanism

Victims usually arrive at these fraudulent sites via phishing schemes or social engineering techniques. They are then misled into downloading what appears to be legitimate meeting software, only to receive the "Realst stealer" malware instead. One method of deception involves scammers impersonating known contacts on platforms like Telegram to initiate business discussions. In a particularly sophisticated instance, a fraudster presented an investment presentation from the victim's company, further convincing the target. This typically culminates in the target visiting the "Meeten" site, where JavaScript code can extract cryptocurrency directly from browsers even before downloading any malware.

Technical Specifications

On macOS, the malware is distributed as a package named ‘CallCSSetup.pkg.’ Once executed, it uses the 'osascript' command-line tool to request the user's password, thereby gaining escalated privileges. A misleading error message is shown afterward, while in the background, the malware harvests a wide range of data, including: - Telegram login details - Banking credentials - Keychain information - Browser cookies and stored credentials from browsers like Chrome, Opera, and Vivaldi - Ledger and Trezor wallet information For Windows users, the malware is delivered as an NSIS installer named 'MeetenApp.exe,' digitally signed using a stolen certificate. This version employs more complex techniques to evade detection and maintain persistence. It collects similar information as the macOS variant but supports additional wallets such as Binance and Phantom.

The link has been copied!