A massive infostealer malware operation has been uncovered, attributed to a cybercriminal group named “Marko Polo”. The group uses various distribution channels, including malvertising, spearphishing, and brand impersonation in online gaming, cryptocurrency, and software. This campaign has impacted thousands of devices globally, exposing sensitive personal and corporate data.
The malware campaign targets high-value targets such as cryptocurrency influencers, gamers, software developers, and others who handle valuable data or assets. Victims are lured into downloading malicious software by interacting with what they think are legitimate job opportunities or project collaborations.
The group uses its own made-up brands not related to existing projects, and impersonates well-known brands like Fortnite, Party Icon, RuneScape, Zoom, and PeerMe. In some cases, victims are led to fake virtual meeting, messaging, and game applications to install malware, while others distribute the malware through executables in torrent files.
The toolkit is diverse, showing the group’s capability for multi-platform and multi-vector attacks. On Windows, HijackLoader delivers Stealc, a lightweight info-stealer designed to collect data from browsers and crypto wallet apps, or Rhadamanthys, which targets a broad range of applications and data types. The recent update added a clipper plugin capable of diverting cryptocurrency payments.
On macOS, Marko Polo deploys Atomic (AMOS), a stealer that can snatch various data stored in web browsers. AMOS can also brute-force MetaMask seeds and steal Apple Keychain passwords to get hold of WiFi passwords, saved logins, credit card data, and other encrypted information stored on macOS.
To mitigate the risk of downloading and running infostealer malware, do not follow links shared by strangers and only download software from official project websites. The malware used by Marko Polo is detected by most up-to-date antivirus software, so scanning downloaded files before executing them should disrupt the infection process.
Source: https://www.bleepingcomputer.com/news/security/global-infostealer-malware-operation-targets-crypto-users-gamers/