Cybercriminals Use Fake Websites to Spread DanaBot and StealC Malware

Cybersecurity experts have uncovered a sophisticated malware campaign in which attackers mimic well-known brands to distribute harmful software like DanaBot and StealC.

This campaign, orchestrated by Russian-speaking cybercriminals under the codename “Tusk,” includes multiple sub-campaigns that exploit the trust users place in reputable platforms. These attackers lure victims into downloading malware through fake websites and social media accounts designed to look authentic.

According to the report, “All active sub-campaigns utilize Dropbox to host the initial downloader.” This downloader is responsible for delivering additional malicious software to the victim’s device, including info-stealers like DanaBot and StealC, as well as clippers.

So far, 19 sub-campaigns have been identified, with three currently active. The name “Tusk” originates from the term “Mammoth,” used by the threat actors in log messages associated with the downloader. Notably, “mammoth” is a slang term frequently used by Russian cybercriminal groups to refer to their victims.

These campaigns are particularly notable for their use of phishing tactics, tricking victims into divulging personal and financial information. This stolen data is then either sold on the dark web or used to gain unauthorized access to gaming accounts and cryptocurrency wallets.

One of the active sub-campaigns, known as TidyMe, imitates the legitimate site peerme[.]io through a lookalike site hosted on tidyme[.]io (and related domains tidymeapp[.]io and tidyme[.]app). The site prompts users to download a malicious program for both Windows and macOS systems, with the executable served via Dropbox.

Once downloaded, the Electron-based application prompts the victim to enter a CAPTCHA. Afterward, the main interface is displayed, while two additional malicious files are quietly downloaded and executed in the background.

These payloads include Hijack Loader artifacts, which ultimately deploy a variant of the StealC stealer malware, capable of collecting a wide range of sensitive information.

Another sub-campaign, RuneOnlineWorld (“runeonlineworld[.]io”), uses a fake website mimicking a massively multiplayer online (MMO) game called Rise Online World. This site distributes a similar downloader that installs DanaBot and StealC on the compromised systems.

In addition, this campaign distributes a Go-based clipper malware via Hijack Loader. This malware monitors clipboard content and swaps out copied wallet addresses with those controlled by the attacker, enabling fraudulent Bitcoin transactions.

The third active campaign, Voico, pretends to be an AI translator project named YOUS (yous[.]ai). The fake site, voico[.]io, prompts victims to download an initial downloader, which asks them to fill out a registration form with their credentials. These details are then logged and used for malicious purposes.

The final payloads in this campaign behave similarly to those in the second sub-campaign, with the difference being that the StealC malware communicates with a different command-and-control (C2) server.

“The campaigns highlight the persistent and evolving threat posed by cybercriminals skilled in mimicking legitimate projects,” the researchers noted. “Their reliance on social engineering techniques like phishing, combined with complex, multistage malware delivery, showcases the advanced capabilities of these threat actors.”

By taking advantage of the trust users have in well-known platforms, these attackers successfully deploy various types of malware, designed to steal sensitive data, compromise systems, and achieve financial gain.

To avoid falling victim to malware distributed through fake brand websites, always verify the authenticity of websites before entering any personal information. Look for tell-tale signs of phishing, such as poor grammar, suspicious URLs, or unexpected prompts to download software.

Be cautious when clicking on links in emails or social media, especially if they appear to come from unfamiliar sources or urge immediate action.