Hackers Use Fake Brand Sites to Spread DanaBot and StealC Malware

Cybersecurity researchers have uncovered a sophisticated campaign where cybercriminals are mimicking legitimate brands to spread malware such as DanaBot and StealC.

This operation, led by Russian-speaking hackers and known as Tusk, involves several sub-campaigns that exploit the credibility of well-known brands. By creating fake websites and social media profiles, these hackers trick users into downloading malicious software.

According to researchers, all active sub-campaigns host the initial downloader on cloud storage services. This downloader installs additional malware, including info-stealers like DanaBot and StealC, and other types of malicious software.

Out of 19 identified sub-campaigns, three are currently operational. The name “Tusk” derives from the term “Mammoth” found in the threat actors’ logs, a slang term used by Russian e-crime groups to refer to their victims.

These campaigns utilize phishing tactics to deceive users into disclosing personal and financial information. This stolen data is either sold on the dark web or used to gain unauthorized access to gaming accounts and cryptocurrency wallets.

The first active sub-campaign, TidyMe, mimics a site called peerme[.]io, using domains like tidyme[.]io, tidymeapp[.]io, and tidyme[.]app. It prompts users to download a malicious program for both Windows and macOS. The downloaded file, served from a cloud storage service, is an Electron application that asks the victim to solve a CAPTCHA. Once completed, the main application appears while additional malicious files are secretly downloaded and executed.

These files include Hijack Loader components, which deploy a variant of StealC malware designed to collect a broad range of sensitive information.

The second sub-campaign, RuneOnlineWorld (“runeonlineworld[.]io”), uses a fake MMO game website, Rise Online World, to distribute a downloader that installs DanaBot and StealC. This campaign also involves Go-based clipper malware that monitors clipboard content and swaps wallet addresses with an attacker-controlled Bitcoin address to facilitate fraudulent transactions.

The third active sub-campaign, Voico, impersonates an AI translation project called YOUS (yous[.]ai). The malicious version, voico[.]io, distributes a downloader that, upon installation, prompts users to enter their credentials in a registration form, which are then logged by the malware.

Despite similarities in the final payloads, Voico’s StealC variant communicates with a different command-and-control server compared to the other campaigns.

Researchers highlight that these campaigns showcase the evolving threat landscape where cybercriminals exploit user trust in reputable brands. The use of social engineering and multi-stage malware delivery methods underscores the advanced tactics employed by these attackers.

By leveraging the trust associated with legitimate platforms, these hackers deploy malware designed to steal sensitive information, compromise systems, and achieve financial gain.

To safeguard yourself from malware distributed through fake brand sites, be vigilant when interacting with unexpected emails or messages that prompt you to download software or provide personal information. Always verify the authenticity of websites before entering any credentials by checking URLs and looking for secure site indicators (like HTTPS). Employ comprehensive security solutions that include anti-phishing and malware detection features.