Overview
The Nortex MP4 campaign, attributed to the cybercriminal group Marko Polo (MP4), is an emerging and sophisticated operation that exploits social engineering tactics to distribute malicious software under the guise of a legitimate Web3 application. Claiming to be an all-in-one decentralized platform designed for Web3 enthusiasts, Nortex is marketed as a messaging service, productivity software, and social network. In reality, the application serves as a front for malware distribution, with no real functionality to back its promises. Instead, it aims to deceive users into downloading harmful software that compromises their systems.
At the heart of the Nortex scam lies a carefully orchestrated process that begins with fake advertisements on various platforms, including social media, enticing victims to download the Nortex client. Once the victim installs the software, it downloads and executes different forms of malware, depending on the victim’s operating system. Windows OS users receive HijackLoader and
Stealc, malware that is designed to steal sensitive information such as login credentials and cryptocurrency wallets. macOS users are targeted with AMOS, another piece of malware linked to previous operations by Marko Polo. These malware variants give cybercriminals remote access to infected machines, allowing them to exfiltrate data and further their malicious activities.
Targets
Individuals
Information
How they operate
The first step in the Nortex campaign involves the social engineering aspect, where the attackers use fake advertisements and fraudulent job offers to lure victims to their malicious website, nortexapp.xyz. Once a victim visits the site, they are prompted to download the Nortex client, which masquerades as a legitimate Web3 application. The Windows OS version of the client is delivered through Dropbox and downloads the Nortex.exe file, which contains the HijackLoader and Stealc malware. HijackLoader facilitates the injection of additional payloads, while Stealc is designed to steal sensitive information, including credentials, banking information, and cryptocurrency wallets.
For macOS users, the installation process is similarly deceptive. When visiting the Nortex website, they are prompted to download a file named NortexApp.dmg, which contains the
AMOS malware. This malware allows remote access to the infected machine, enabling attackers to exfiltrate data and maintain persistence within the compromised system. The AMOS
malware also communicates with a Marko Polo command-and-control (C2) server, allowing the attackers to issue commands and control the infected machines remotely.
The Nortex campaign’s use of cloud-based hosting services, such as Dropbox for Windows OS malware delivery and Cloudflare for domain hosting, is a key component of its success. These services are commonly used for legitimate purposes, which makes the malicious activity harder to detect. Additionally, the malware configuration files are fetched from different domains associated with Marko Polo, including showpiecekennelmating.com for the Windows client and allieat.com for the macOS version. The use of Cloudflare’s infrastructure ensures that the campaign can scale easily and avoid detection by traditional cybersecurity tools. The constantly changing IP addresses and domains used by the attackers further complicate efforts to shut down the operation.
Moreover, the Marko Polo group has shown remarkable adaptability by shifting infrastructure when their previous domains or IP addresses are flagged. For example, the macOS version of Nortex has moved between several domains, such as ask-ashika.com, punitrai.com, and rafaelsuarezlopez.com. This active infrastructure pivoting is indicative of the group’s commitment to avoiding long-term tracking and detection. The use of multi-part encoding in C2 communication and the presence of build IDs, such as night20, suggest that the attackers are continuously refining their operations to make the malware more resilient and harder to trace.
Overall, the technical operation of the Nortex MP4 campaign showcases the increasing sophistication of modern cybercriminal groups. By exploiting the trustworthiness of cloud-based services, employing advanced social engineering tactics, and utilizing flexible infrastructure, Marko Polo is able to deliver malware to unsuspecting users while evading detection. Understanding these technical intricacies is essential for defending against this and similar threats, as the landscape of cybercrime continues to evolve with greater complexity.
References:
