Insikt Group, part of Recorded Future’s threat intelligence service, uncovered a malicious campaign involving Vortax, a fake virtual meeting software targeting cryptocurrency users. Marketed as a legitimate cross-platform tool with AI features, Vortax deceives users into installing the software, which then deploys three infostealers: Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS). The presence of AMOS is particularly concerning due to the rarity of macOS-targeting infostealers compared to those for Windows.
Further investigation revealed that Vortax is part of a broader campaign affecting cryptocurrency and virtual meeting software users, with 23 other malicious macOS applications identified. The campaign’s scale and sophistication suggest it may be linked to a previous infostealer operation targeting web3 gaming projects. The threat actor, known as “markopolo,” may be acting as an initial access broker or log vendor on dark web marketplaces.
Insikt Group noted a significant increase in macOS malware activity, with mentions of macOS malware and exploit kits rising by 79% between 2022 and 2023. This trend is likely fueled by the growing use of AMOS, indicating that future campaigns may follow the success of markopolo, leading to a more insecure environment for macOS users. The report underscores the need for heightened vigilance and improved security measures to protect against these evolving threats.
To mitigate the risks associated with the Vortax campaign, Recorded Future recommends several measures. These include regularly updating detection systems for AMOS, educating users on the dangers of downloading unapproved software, implementing strict security controls to prevent the download of unlicensed software, and encouraging users to report suspicious activities. By adopting these practices, organizations can better defend against the sophisticated tactics employed by threat actors like those behind Vortax.
Reference:
