Cybercriminal Campaign Spreads Infostealers, Highlighting Risks to Web3 Gaming
Insikt Group identified an extensive Russian-language cybercriminal campaign leveraging fraudulent Web3 gaming projects to deliver multiple variants of information stealer (“infostealer”) malware to both macOS and Windows devices. Web3 gaming refers to online games built on blockchain technology, which can result in financial gain for players who earn various cryptocurrencies. These fraudulent Web3 projects mimic legitimate projects with slight alterations in project names and branding. This fraudulent branding also includes multiple social media accounts that impersonate legitimate projects, which may provide an appearance of authenticity.
The targeted nature of this campaign suggests that threat actors may perceive Web3 gamers as having a more acute vulnerability to social engineering, due to an assumed trade-off in cyber hygiene — meaning that Web3 gamers may have fewer protections in place against cybercrime — in the pursuit of profit. The threat actors behind the campaign are creating the infrastructure necessary to enable redundancy and continuity, and the campaign’s agile nature implies resilience, indicating that it might be relatively straightforward for the threat actors to exit or rebrand once identified. We observed that the version of AMOS distributed in this campaign can infect both Intel-based and ARM-based (Apple M1) Macs, meaning that victims using either chipset may be vulnerable to the infostealer. Given the audience of Web3 gaming projects, it is almost certain that the threat actors are primarily targeting victims with cryptocurrency wallets. As wallet compromise continues to be the biggest threat in both Web3 and cryptocurrency security, measured by total cost, we assess that wallet compromise is likely the end goal of this campaign; however, the harvested credentials could be used for an array of unauthorized account accesses.
The campaign’s tactics, techniques, and procedures (TTPs) enable continued efficacy against mitigations based solely on endpoint detection and response (EDR) or antivirus (AV) products; targeted individuals and organizations must respond to the campaign’s cross-platform threat with a comprehensive mitigation strategy. Russian-language artifacts in the HTML code of these projects suggest the threat actors are likely Russian speakers. While we cannot make a determination of their exact location, the presence of such artifacts suggests that the threat actors could be located in Russia or a nation within the Commonwealth of Independent States (CIS).
Continuous monitoring of this campaign may not be feasible, meaning that individuals and organizations must mitigate against the broader attack vector itself. Since the campaign spreads via “trap phishing” software downloads, comprehensive awareness and user education campaigns are vital to discourage potential victims from downloading software from unverified and unofficial sources. Further recommendations are provided in the Mitigations section of this report.
Organizations operating in Web3 gaming or adjacent industries — such as the broader gaming industry or cryptocurrency exchanges, among others — risk their projects being impersonated as part of this campaign, which may lead to significant brand impairment if not remediated. While it is difficult to determine the financial loss from brand impairment, affected Web3 projects risk damaging their reputation with their entire user base and the broader Web3 gaming industry if a campaign like this is not addressed. Given the agile nature of this campaign, we assess that these threat actors will likely continue to target Web3 gaming projects with infostealers.
Web of Deceit: The Rise of Imitation Web3 Gaming Scams and Malware Infections
The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity. The main webpages of these projects offer downloads that, once installed, infect devices with various types of "infostealer" malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on the operating system.
Fraudulent Web3 gaming project status (Source: Recorded Future)
The campaign targets Web3 gamers, exploiting their potential lack of cyber hygiene in the pursuit of profits. It represents a significant cross-platform threat, utilizing a variety of malware to compromise users' systems. The threat actors have prepared a resilient infrastructure, allowing them to quickly adapt by rebranding or shifting focus upon detection. The report highlights the necessity of continuous vigilance and recommends that individuals and organizations adopt comprehensive mitigation strategies against these sophisticated phishing tactics.
Specific findings reveal that the malware versions, including AMOS, can infect both Intel and Apple M1 Macs, indicating a broad vulnerability among users. The primary goal appears to be the theft of cryptocurrency wallets, posing a significant risk to financial security. Despite potential mitigations like endpoint detection and antivirus software, the campaign's techniques remain effective, suggesting the need for broader defense measures. Artifacts within the HTML code hint at the Russian origin of the threat actors, though their exact location remains uncertain. The report underscores the critical need for awareness and education to prevent downloads from unverified sources, highlighting the risk of brand damage to legitimate Web3 gaming projects if such threats are not adequately addressed.
To read the entire analysis, click here to download the report as a PDF.
Note: This report summary was first published on April 11, 2024 and has been updated on October 29, 2024. The original analysis and findings remain unchanged.
Appendix A — Indicators of Compromise
|
Domains: ai-zerolend[.]xyz argongame[.]com argongame[.]fun argongame[.]network argongame[.]xyz astration[.]io astrationgame[.]com astrationgame[.]io astrationplay[.]com astrationplay[.]io blastl2[.]net cosmicwayrb[.]org crypterium[.]world crypteriumplay[.]com crypteriumplay[.]io crypteriumworld[.]io dustfighter[.]io dustfighter[.]space dustfightergame[.]com dustoperation[.]xyz gameastration[.]com playastration[.]com playcrypterium[.]com playcrypterium[.]io testload[.]pythonanywhere[.]com vether-testers[.]org vether[.]org worldcrypterium[.]io IP Addresses: 5.42.64[.]83 5.42.65[.]55 5.42.65[.]102 5.42.65[.]106 5.42.65[.]107 5.42.66[.]22 5.42.67[.]1 31.31.196[.]178 31.31.196[.]161 82.115.223[.]26 89.105.201[.]132 144.76.184[.]11 193.163.7[.]160 File Hashes: 073d524d8fc005acc05162f2e8574688a076d7888ec180c0ff78cab09b92ce95 0d9877eefd26756e2ecee3d806d60cb72bcb33d880f06e2f0e12c7c85d963426 0ed67ebecabb5fd7c4d41e521054154dbda0712845cb6f1b5b403c9f4d71ed4a 434878a4416201b4f26d1414be9126ae562c9f5be3f65168e48c0e95560460ac 4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 56a11900f952776d17637e9186e3954739c0d9039bf7c0aa7605a00a61bd6543 63724fbab837988311a551d4d9540577f822e23c49864095f568324352c0d1fd 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a 7d35dd19ee508c74c159e82f99c0483114e9b5b30f9bc2bd41c37b83cfbcd92d 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 8d7df60dd146ade3cef2bfb252dfe81139f0a756c2b9611aaa6a972424f8af85 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 b2e2859dd87628d046ac9da224b435d09dd856d9ad3ede926aa5e1dc9903ffe8 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a c299089aca754950f7427e6946a980cedfded633ab3d55ca0aa5313bb2cc316c ccd6375cd513412c28a4e8d0fdedf6603f49a4ac5cd34ddd53cc72f08209bd83 e1657101815c73d9efd1a35567e6da0e1b00f176ac7d5a8d3f88b06a5602c320 ea592d5ca0350a3e46e3de9c6add352cd923206d1dcc45244e7a0a3c049462a4 edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa f5e3f5d769efc49879b640334d6919bdb5ba7cae403317c8bd79d042803e20ce f6893fba30db87c2415a1e44b1f03e5e57ac14f9dbd2c3b0c733692472f099fd fabfe1bcce7eade07a30ff7d073859e2a8654c41da1f784d3b58da40aaeef682 |
Appendix B — Mitre ATT&CK Techniques
| Tactic: Technique | ATT&CK Code |
| Data Obfuscation | T1001 |
| Data from Local System | T1005 |
| Query Registry | T1012 |
| Obfuscated Files or Information | T1027 |
| Exfiltration Over C2 Channel | T1041 |
| Scheduled Task/Job | T1053 |
| Process Discovery | T1057 |
| Command and Scripting Interpreter | T1059 |
| Application Layer Protocol | T1071 |
| System Information Discovery | T1082 |
| Modify Registry | T1112 |
| Data Encoding: Standard Encoding | T1132.001 |
| Indirect Command Execution | T1202 |
| User Execution | T1204 |
| User Execution: Malicious Link | T1204.001 |
| User Execution: Malicious File | T1204.002 |
| Virtualization/Sandbox Evasion | T1497 |
| Steal Web Session Cookie | T1539 |
| Unsecured Credentials | T1552 |
| Unsecured Credentials: Credentials in Files | T1552.001 |
| Disable or Modify Tools | T1562.001 |
| Phishing | T1566 |
| Acquire Infrastructure: Domains | T1583.001 |
| Acquire Infrastructure: Web Services | T1583.006 |
| Acquire Infrastructure: Malvertising | T1583.008 |
| Establish Accounts: Social Media Accounts | T1585.001 |
| Develop Capabilities | T1587 |
| Gather Victim Identity Information: Credentials | T1589.001 |
| Gather Victim Host Information: Software | T1592.002 |
| Financial Theft | T1657 |
Appendix C — Domain and IP Correlations
| Domain | Created | IP Address | Server | Active |
| astration[.]io | 2023-10-31 | 5.42.66[.]22 | nginx/1.22.0 | No |
| astrationplay[.]io | 2024-01-20 | 5.42.66[.]22 | Golfe2 | No |
| astrationplay[.]com | 2024-01-21 | 5.42.66[.]22 | Golfe2 | No |
| astrationgame[.]com | 2024-02-07 | 5.42.66[.]22 | nginx/1.22.0 | No |
| astrationgame[.]io | 2024-02-07 | 5.42.66[.]22 | nginx/1.22.0 | No |
| playastration[.]com | 2024-02-08 | 5.42.66[.]22 | nginx/1.22.0 | No |
| gameastration[.]com | 2024-02-12 | 5.42.66[.]22 | nginx/1.22.0 | Yes |
| dustfighter[.]io | 2024-01-31 | 5.42.65[.]102 | nginx/1.22.0 | Yes |
| dustfighter[.]space | 2024-02-22 | 5.42.65[.]102 | N/A | No |
| dustfightergame[.]com | 2024-02-26 | CLOUDFLARE | CLOUDFLARE | Yes |
| dustoperation[.]xyz | 2024-02-25 | 31.31.196[.]178 | nginx | Yes |
| ai-zerolend[.]xyz | 2024-02-23 | 31.31.196[.]161 | N/A | No |
| cosmicwayrb[.]org | 2023-10-27 | CLOUDFLARE | CLOUDFLARE | Yes |
| argongame[.]com | 2023-12-16 | CLOUDFLARE | CLOUDFLARE | Yes |
| argongame[.]network | 2024-02-04 | CLOUDFLARE | CLOUDFLARE | Yes |
| argongame[.]fun | 2024-02-04 | CLOUDFLARE | CLOUDFLARE | No |
| argongame[.]xyz | 2024-02-04 | CLOUDFLARE | CLOUDFLARE | Yes |
| crypteriumplay[.]com | 2023-09-09 | 5.42.67[.]1 | nginx/1.22.0 | No |
| playcrypterium[.]com | 2023-09-19 | 5.42.67[.]1 | nginx/1.22.0 | No |
| playcrypterium[.]io | 2023-10-11 | 5.42.67[.]1 | nginx/1.22.0 | No |
| worldcrypterium[.]io | 2023-09-06 | 5.42.67[.]1 | nginx/1.22.0 | No |
| crypterium[.]world | 2023-08-03 | CLOUDFLARE | CLOUDFLARE | No |
| crypteriumworld[.]io | 2023-08-28 | 5.42.64[.]83 | nginx/1.22.0 | No |
| crypteriumplay[.]io | 2023-10-25 | 5.42.65[.]102 | AliyunOSS | No |
| vether[.]org | 2023-11-30 | CLOUDFLARE | CLOUDFLARE | Yes |
| vether-testers[.]org | 2024-01-30 | 82.115.223[.]26 | nginx/1.20.2 | Yes |
Related