Cybercriminals have set their sights on Mac users intrigued by cryptocurrency opportunities, deploying fake calendar invites as a means to infiltrate their systems with malware. Brian Krebs, a cybersecurity expert, highlighted this alarming trend, revealing how scammers impersonate cryptocurrency investors on Telegram channels to entice unsuspecting individuals into fraudulent meetings about potential partnerships. One prominent investor, Signum Capital, even issued a warning in January after discovering their team member was being impersonated and sending out deceptive invites via direct messages on Telegram.
The modus operandi of these cybercriminals involves reaching out to targets on Telegram, gauging their interest in cryptocurrency discussions, and subsequently sending fabricated meeting invitations. Upon attempting to join the meeting, victims encounter non-functional invitation links. Deceitfully, scammers attribute this to a purported regional access restriction and advise victims to run a script to resolve the issue. Thomas Reed, Director of Core Technology at Malwarebytes, underscores the threat posed by such scripts, particularly AppleScripts, which can easily gain administrator permissions, enabling malicious activities without further authentication.
Reed explains that AppleScripts offer cybercriminals an easily executable method for compromising Mac users, as they are not only simple to write but also difficult to reverse engineer once compiled. These scripts can take various forms, from .scpt files to AppleScript applets, each presenting its own advantages and drawbacks for criminals.
Despite potential visibility of the code, the ease of obfuscation and users’ tendency to overlook such details make AppleScripts an attractive tool for deploying malware. In this case, the script employed a straightforward method to download and execute a macOS-oriented Trojan, the specifics of which remain undisclosed but are expected to target cryptocurrency assets, given the context of the scam.
