Kaspersky Lab analysts have uncovered a sophisticated cybercrime operation dubbed “Tusk,” targeting Windows and macOS users globally. This campaign, believed to be orchestrated by Russian-speaking threat actors, employs a combination of phishing, infostealers, and clipboard hijackers to pilfer cryptocurrency and sensitive personal information.
The Anatomy of Tusk Attacks
The Tusk campaign initiates its assault by luring victims to meticulously crafted phishing websites. These deceptive platforms closely mimic the design and user interface of legitimate services, making them difficult to distinguish at first glance. The attackers leverage popular themes such as Web3, cryptocurrency, artificial intelligence, and online gaming to capture their targets’ attention.
Upon closer inspection, subtle differences in domain names or URLs may be noticeable. However, the overall appearance of these fraudulent sites is convincingly authentic, potentially fooling even cautious users.
Malware Distribution and Data Theft Techniques
Once users interact with these phishing sites, the attackers employ various methods to compromise their systems:
1. Credential Harvesting
The phishing sites are designed to collect sensitive information, including private keys for cryptocurrency wallets, directly from unsuspecting victims.
2. Malware Deployment
Tusk operators distribute malware through seemingly innocuous file downloads, often hosted on legitimate platforms like Dropbox. The malware arsenal includes:
- Infostealers: Variants such as DanaBot and StealC are used to extract valuable data from infected systems.
- Clipboard hijackers: These tools intercept and modify clipboard contents, potentially replacing cryptocurrency wallet addresses with those controlled by the attackers.
3. Social Engineering Tactics
To maximize infection rates, the cybercriminals employ sophisticated social engineering techniques. Victims are often directed to attractive, user-friendly interfaces where they’re prompted to log in or keep the page open, allowing additional malicious payloads to be downloaded in the background.
Evidence of Russian-Speaking Threat Actors
Several indicators point to the involvement of Russian-speaking cybercriminals in the Tusk campaign:
- Russian language strings have been identified within the malware code.
- The term “Мамонт” (Mammoth), commonly used by Russian-speaking cybercriminals to refer to victims, has been found in some of the malicious files.
Kirill Semyonov, Head of the Incident Detection and Response Competence Center at Kaspersky Lab, emphasizes the campaign’s sophistication: “Our analysis reveals a meticulously planned operation, characterized by multi-stage, interconnected attacks. This could be the work of either a group or an individual threat actor with financial motivations. Through the Kaspersky Threat Intelligence Portal, we’ve identified sub-campaigns targeting various trending topics, including cryptocurrencies, artificial intelligence, and online gaming, along with 16 other themes. This demonstrates the attackers’ ability to swiftly adapt to current trends and exploit them for user targeting.”
As the Tusk campaign continues to evolve, with 3 out of 19 identified sub-campaigns still active, it’s crucial for users to remain vigilant. Implementing robust cybersecurity measures, including the use of reputable security software, practicing caution when interacting with unfamiliar websites, and regularly updating systems and applications, can significantly reduce the risk of falling victim to such sophisticated attacks.
