Full Report
A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets. [...]
Analysis Summary
# Incident Report: GrassCall Malware Campaign Draining Crypto Wallets via Fake Job Interviews
## Executive Summary
A cybercrime campaign, tracked as GrassCall, leveraged fake job interviews to trick victims into downloading malware (either for Windows or macOS). Execution of the benign-looking software installed information-stealing malware, such as the Atomic (AMOS) Stealer on macOS, leading to the theft of cryptocurrency, browser credentials, and sensitive files. In a unique twist, successful attackers were reportedly rewarded with a portion of the stolen funds, posted publicly on Telegram channels associated with the "Crazy Evil" threat group.
## Incident Details
- **Discovery Date:** Not explicitly stated, but research was published following observation.
- **Incident Date:** Ongoing campaign (timing implicit based on reporting and TTPs).
- **Affected Organization:** Individuals seeking employment, primarily those in the crypto space, interacting with fake job postings (e.g., via CryptoJobsList).
- **Sector:** Technology/Finance (Targeting cryptocurrency users).
- **Geography:** Global (Inferred, targeting online job seekers).
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-malware installation phase (During fake job applications/interviews).
- **Vector:** Social Engineering via legitimate-looking job listings (e.g., on CryptoJobsList).
- **Details:** Threat actors hosted malicious installers disguised as legitimate software/clients required for the interview process.
### Lateral Movement
- **Details:** The primary focus appears to be localized theft from the infected machine (credential/wallet theft) rather than extensive network intrusion, though lateral movement capabilities of the underlying RATs cannot be ruled out based on the file description.
### Data Exfiltration/Impact
- **Details:** Stolen files based on keywords, cryptocurrency wallet credentials, passwords stored in Apple Keychain, and browser authentication cookies/passwords were uploaded to attacker servers. Successful crypto drains also resulted in payments being shared with the operatives responsible for the initial compromise.
### Detection & Response
- **How it was discovered:** Discovered and tracked by cybersecurity researchers (G0njxa, MalwareHunterTeam).
- **Response actions taken:** CryptoJobsList removed the associated job listings and warned applicants to scan their systems. The threat actors appear to have terminated this specific campaign, leading to the associated website becoming unavailable.
## Attack Methodology
- **Initial Access:** Social Engineering (Malicious job interview software).
- **Persistence:** Installation of malware/RATs upon execution.
- **Privilege Escalation:** Not explicitly detailed, though necessary for accessing Keychain/browser data.
- **Defense Evasion:** The malware was disguised as necessary functional clients (e.g., "GrassCall\_v.6.10.exe" or ".dmg").
- **Credential Access:** Stealing passwords from Apple Keychain and web browsers.
- **Discovery:** File keyword matching to locate high-value targets (likely crypto wallets/keys).
- **Lateral Movement:** Not the primary focus described, but the payload included RATs.
- **Collection:** Stealing cryptocurrency wallets, browser data, and files matching targeted keywords.
- **Exfiltration:** Uploading stolen data to command-and-control servers, with results posted to Telegram channels.
- **Impact:** Financial loss via cryptocurrency draining via bruteforced passwords.
## Impact Assessment
- **Financial:** Significant financial loss for victims whose crypto wallets were drained. Attackers (Crazy Evil members) realized tens to hundreds of thousands of dollars per successful victim.
- **Data Breach:** Compromise of private passwords, authentication cookies, Apple Keychain data, and access to stored files.
- **Operational:** Potential business disruption for victims who installed the software, requiring password resets across all services.
- **Reputational:** Damage to the reputation of platforms hosting the fake listings (e.g., CryptoJobsList).
## Indicators of Compromise
- **Network indicators:** Stolen information uploaded to operation servers (C2 infrastructure not specified/defanged).
- **File indicators:**
- Windows Client Payload Hash: `2c40fc5d25a3f645a48a0d4e248359bbfb8106` (Defanged example for reference).
- macOS Client Payload: `GrassCall_v.6.10.dmg`
- Installed Malware (macOS): Atomic (AMOS) Stealer.
- **Behavioral indicators:** Installation and execution of seemingly benign interview software, followed by immediate attempts to access browser profiles and the Apple Keychain.
## Response Actions
- **Containment measures:** Victims were urged to change all passwords, passphrases, and authentication tokens immediately.
- **Eradication steps:** Victims advised to scan devices for malware.
- **Recovery actions:** N/A for the platform/organization perspective, focused on end-user remediation.
## Lessons Learned
- **Key takeaways:** Threat actors are leveraging high-trust vectors like job recruitment to deliver sophisticated loaders for information stealers and RATs, specifically targeting financially motivated individuals in the crypto space. The unique internal reward structure incentivizes high involvement from the threat actor's members.
- **What could have been done better:** Job listing platforms should implement stricter vetting processes to prevent the hosting of high-stakes social engineering ploys disguised as legitimate opportunities.
## Recommendations
- Users seeking crypto-related employment must verify the legitimacy of interview software requirements outside of the immediate application context.
- Implement strong, unique passwords and multi-factor authentication on all cryptocurrency wallets and sensitive accounts.
- Regularly scan systems for malware, especially immediately following the installation of any third-party executables received during online processes.
- Threat actors (Crazy Evil) have pivoted to a new campaign targeting an NFT game ("Mystix"), indicating a need for continued vigilance across the cryptocurrency ecosystem.