A Russian threat actor is making inroads game developers with fraudulent Web3 game projects releasing multiple infostealer variants on MacOS and Windows devices.
According to Recorded Future’s Insikt Group, which discovered the malicious activity, the ultimate goal of the campaign appears to be to defraud victims and steal their cryptocurrency wallets.
The extensive Russian-language campaign imitates legitimate projects using slight changes in project names and branding, even going so far as to have multiple fake social media accounts impersonating the projects to make them appear authentic, according to a report published online.
In the attack, a project’s main web page offers or links to installation files for purported “gaming” software, apparently for use by developers. However, these files instead deliver both The atomic thief of macOS for Intel or ARM based devices; Rhadamanthys; or RisePro, depending on the victim’s operating system.
“The targeted nature of this campaign suggests that threat actors may perceive Web3 players as having a more acute vulnerability to social engineering, due to a perceived compromise in cyber hygiene – meaning Web3 players may have fewer protections in place against cybercrime – in the pursuit of profit,” the report reads.
This profit comes in the form of cryptocurrency, as the actor primarily targets developers’ crypto wallets with the intent of compromising them. Web3 games refer to online games such as Axie Infinity and MixMob based on blockchain technology, which can result in financial gain for players earning various cryptocurrencies.
“With wallet compromise continuing to be the largest threat to both Web3 and cryptocurrency security… we believe wallet compromise is likely the ultimate goal of this campaign,” according to Insikt Group. According to the report, attackers can also use credentials collected from the malicious activity “for a variety of unauthorized account accesses.”
In fact, the report outlines several reports on social media of game developers falling victim to the scam and having their crypto wallets drained, including one who lost around 2.5 Ethereum, or around $8,000.
Setting a trap through representation
The attack campaign comes in the form of what is called a “trap phishing,” whereby malicious actors duplicate and distribute lookalikes of Web3 projects.
Insikt researchers began investigating the malicious activity after Web3 smart contract auditor CertiK described in January a project called Abstraction that used fake job postings and non-fungible NFT token offerings to lure game developers into a trap-phishing campaign spreading infostealer.
The fraudulent project duplicated and recreated nearly all of the social media accounts associated with a legitimate project called Alteration, including reposting social media content from legitimate accounts, creating a direct copy of the project’s Discord server, and distributing two types of malware.
After further research, Insikt found five more fraudulent game projects, three of which provided malicious files that communicated with the same command and control (C2) server as those obtained from the Abstraction project, as well as two that were no longer active but are results similar to active scams. The alleged game names associated with the active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while the games associated with the inactive projects were Crypterium World and Myth Island.
Overall, according to Insikt, threat actors are carrying out the campaign via “a resilient infrastructure, which allows them to quickly adapt by changing branding or shifting focus to detection.”
Maintain vigilance to mitigate risk
Insikt highlighted the need for both individuals and organizations to maintain continuous vigilance against threats and adopt mitigation strategies against campaigns that use phishing as an initial point of entry. To that end, the group offered a number of mitigations in its report and included a list of indicators of compromise.
The first is to provide comprehensive training to users, especially those involved in Web3 gaming or related fields, to recognize the social engineering tactics associated with trap phishing. In particular, according to the report, game developers should “examine the legitimacy of Web3 projects advertised on social media.”
Organizations should also educate users about the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of project websites before installing.
Endpoint protection solutions updated with the latest threat intelligence, such as antivirus software that can detect and block known infostealer variants like Atomic, Stealc, RhadamanthysAND RisePro – can also help organizations avoid compromises.
According to Insikt, organizations should also implement cross-platform security measures to protect against malware infections on both macOS and Windows devices, including firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions.