Full Report
Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings. "The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company
Analysis Summary
# Tool/Technique: Realst Infostealer (Meeten Campaign)
## Overview
Realst is a newly identified information stealer malware, written in Rust, being distributed via a sophisticated social engineering campaign codenamed "Meeten." This campaign uses fake video conferencing applications, often promoted through social engineering on platforms like Telegram, to trick targets—particularly those in the Web3 space—into downloading the malware under the guise of attending business meetings. Threat actors are using AI to enhance the legitimacy of the fake company websites associated with this campaign.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: macOS and Windows (Rust binary and Electron/NSIS installer observed)
- Capabilities: Stealing cryptocurrency wallet information, banking data, Telegram credentials, iCloud Keychain data, and browser cookies from multiple major browsers.
- First Seen: Implied recent activity based on the article release timeframe (mid-2024).
## MITRE ATT&CK Mapping
This campaign primarily utilizes social engineering and execution, leading to local system compromise and data exfiltration.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied delivery via downloaded application)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.006 - Python (Implied process interaction for data collection or staging)
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1119 - Archive Collected Data (Implied aggregation before exfiltration)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied transfer to a remote server)
**Specific macOS Technique Observed/Aligned With:**
- **T1059.004 - Command and Scripting Interpreter: Unix Shell** (via `osascript` usage to prompt for system passwords)
## Functionality
### Core Capabilities
- **Data Theft:** Targeting sensitive personal and financial information, with a high focus on cryptocurrency wallets.
- **Browser Credential Harvesting:** Scraping cookies and stored data from Chrome, Edge, Opera, Brave, Arc, Cốc Cốc, and Vivaldi.
- **Credential Theft:** Targeting Telegram application credentials.
### Advanced Features
- **Social Engineering Lure:** Creation of seemingly legitimate fake companies (using AI for realistic websites) promoting fake video conferencing apps (Clusee, Cuesee, Meeten, Meetone, Meetio).
- **macOS Persistence/Privilege Escalation Attempt:** On macOS, the malware employs an `osascript` technique that tricks users into entering their system password to "fully initialize" the application, likely used to gain necessary permissions or install further components.
- **Windows Delivery Mechanism:** The Windows version uses an NSIS installer, signed with a potentially stolen certificate (Brys Software Ltd.), which downloads the final Rust stealer executable from an attacker-controlled domain.
## Indicators of Compromise
*Note: Specific hashes/C2 IPs/domains were not provided in the article, only names of related activities.*
- File Hashes: [N/A]
- File Names: Fake video conferencing applications disguised under names like Clusee, Cuesee, Meeten, Meetone, or Meetio.
- Registry Keys: [N/A]
- Network Indicators: Communication with attacker-controlled domains used to serve the final payload and for C2 exfiltration (Defanged examples based on context: example[.]com, dubious[.]net).
- Behavioral Indicators: Installation prompted by social engineering; macOS process using `osascript` to request a user's system password after initial launch.
## Associated Threat Actors
- Unnamed threat actors utilizing AI for campaign sophistication.
- Overlaps exist with campaigns previously distributing stealers like Rhadamanthys, Stealc, and Atomic (Markopolo campaign), and those using fake meeting software (Meethub[.]gg campaign).
## Detection Methods
- Signature-based detection: Detection signatures for the known Rust binary payload.
- Behavioral detection: Monitoring for unusual activity following the execution of legitimate-looking meeting software, especially the automatic request for system-level passwords on macOS via `osascript` or attempts to access browser/wallet data directories.
- YARA rules: YARA rules targeting unique strings or structures within the Rust binary.
## Mitigation Strategies
- **User Awareness/Training:** Educate employees, especially those dealing with Web3/investments, about social engineering tactics using fake collaboration software and AI-generated convincing websites.
- **Application Whitelisting:** Restrict the execution of unsigned or newly downloaded executables.
- **Endpoint Security:** Ensure EDR solutions monitor for suspicious process descent (NSIS/Electron leading to a Rust binary) and unauthorized access to credential stores (Keychains, browser profiles).
- **macOS Hardening:** Be extremely wary of prompts requesting system passwords outside of secure system updates or known trusted installers; evaluate `osascript` executions that request credentials.
## Related Tools/Techniques
- Atomic macOS Stealer
- Cuckoo Stealer
- MacStealer
- Banshee Stealer
- Cthulhu Stealer
- Rhadamanthys Stealer
- Stealc Stealer
- RedLine Stealer
- Poseidon Stealer
- Fickle Stealer
- Wish Stealer
- Hexon Stealer
- Celestial Stealer