Global infostealer malware operation targets cryptocurrency users and gamers

A massive infostealer malware operation spanning thirty campaigns targeting a broad range of demographics and system platforms has been discovered, attributed to a group of cybercriminals called “Marko Polo.”

Threat actors use a variety of distribution channels including adware malware, spearphishing, and brand impersonation in online games, cryptocurrencies, and software to spread 50 malware payloads, including AMOS, Stealc, and Rhadamanthys.

According to Recorded Future’s Insikt Group, which has been tracking Marko Polo’s activities, the malware campaign has affected thousands of people, causing potential financial losses in the millions.

“Given the broad scope of the Marko Polo campaign, Insikt Group suspects that tens of thousands of devices were likely compromised worldwide, leading to the exposure of sensitive personal and corporate data,” Insikt Group of Recorded Future warned.

“This poses significant risks to both consumer privacy and business continuity. Almost certainly generating millions of dollars in illicit revenue, this operation also highlights the negative economic impact of such cybercriminal activities.”

Setting high value traps

According to a report by Insikt Group, Marko Polo primarily uses a spearphishing method, sending messages directly on social media platforms to reach high-value targets such as cryptocurrency influencers, gamers, software developers, and others who may have access to valuable data or assets.

Victims are lured into downloading malware by interacting with what are believed to be legitimate job or project collaboration offers.

Some of the brands they are impersonating include: Fortnite (gaming), Party Icon (gaming), RuneScape (gaming), Rise Online World (gaming), Zoom (productivity), and PeerMe (cryptocurrency).

Marko Polo also uses its own invented brands, unrelated to existing projects, such as Vortax/Vorion and VDeck (meeting software), Wasper and PDFUnity (collaboration platforms), SpectraRoom (cryptographic communication), and NightVerse (web3 game).

In some cases, victims are directed to fake virtual meeting, messaging, and gaming app websites that are used to install malware. Other campaigns distribute malware via executable files (.exe or .dmg) in torrent files.

Applies to both Windows and macOS systems

Marko Polo’s toolset is diverse, proving that the cybercriminal group is capable of conducting multi-platform and multi-vector attacks.

On Windows, HijackLoader is used to deliver Stealc, a general-purpose, lightweight data stealer designed to collect data from browsers and cryptocurrency wallet applications, or Rhadamanthys, a more specialized data stealer that targets a wide range of applications and data types.

In its latest update, Rhadamanthys added the Clipper plugin, which allows for redirecting cryptocurrency payments to attacker wallets, the ability to recover deleted Google account cookies, and bypass Windows Defender security.

When the target uses macOS, Marko Polo deploys Atomic (“AMOS”). This thief was launched in mid-2023, rented to cybercriminals for $1,000 per month, allowing them to steal various data stored in web browsers.

AMOS can also brute force MetaMask seeds and steal Apple Keychain passwords to compromise Wi-Fi passwords, saved logins, credit card details, and other encrypted information stored on macOS.

Malicious campaigns using information-stealing malware have increased significantly over the years. Threat actors target their victims by exploiting zero-day vulnerabilities, fake VPNs, GitHub issue patches, and even StackOverflow answers.

This data is then used to break into corporate networks, conduct data theft campaigns like the massive SnowFlake account breach, and cause chaos by corrupting network routing information.

To minimize the risk of downloading and running information-stealing malware on your computer, do not click on links shared by strangers and only download software from official project sites.

The malware used by Marko Polo is detected by most current antivirus programs, so scanning downloaded files before running them should terminate the infection process before it begins.