Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Vortax (Dropper) – Malware

June 12, 2024
Reading Time: 4 mins read
in Malware
Vortax (Dropper) – Malware

Vortax

Type of Malware

Dropper

Country of Origin

Unknown

Date of initial activity

2024

Targeted Countries

Global

Associated Groups

Markopolo

Motivation

Financial Gain

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

In a revelation that underscores the evolving threat landscape, Recorded Future’s Insikt Group has identified a sophisticated malware campaign centered around Vortax, a purported virtual meeting software. This seemingly benign application is, in reality, a delivery mechanism for a suite of infostealers designed to target cryptocurrency enthusiasts and macOS users. The Vortax malware campaign, orchestrated by the enigmatic threat actor known as “markopolo,” marks a significant escalation in the use of macOS vulnerabilities for malicious purposes.

Targets

Individual Users Information

How they operate

Infection Vectors and Initial Access The journey of Vortax begins with its deceptive distribution. Posing as a legitimate virtual meeting application, Vortax lures users into downloading and installing the malware under the guise of necessary software updates or enhancements. The malware’s initial access is facilitated through these fake applications, which are often spread via phishing campaigns or malicious websites. Once the application is executed, it silently deploys its payloads, which include the infostealers Rhadamanthys, Stealc, and AMOS. This initial access tactic aligns with MITRE ATT&CK’s Drive-by Compromise and Software Deployment Tools techniques, leveraging social engineering to trick users into compromising their systems. Execution and Infostealer Deployment Upon installation, Vortax immediately begins executing its primary functions. The malware uses command-line interfaces and scheduled tasks to facilitate the execution of its infostealer payloads. The infostealers, designed to capture sensitive information, are activated to start their data collection routines. This process reflects the Execution tactics outlined in MITRE ATT&CK, utilizing various techniques to ensure the effective operation of the malware. Vortax’s infostealers, once active, begin the process of harvesting credentials and other sensitive data from the infected systems. Persistence and Evasion Techniques Persistence is a critical aspect of Vortax’s strategy. To maintain its foothold on infected systems, Vortax employs several methods. The malware modifies system configurations and processes, ensuring it remains active across reboots and system updates. Techniques such as modifying registry keys or using startup folders are indicative of its persistence strategies. Additionally, Vortax employs anti-sandbox heuristics to avoid detection and analysis, ensuring that it operates undetected for extended periods. This aligns with MITRE ATT&CK’s Create or Modify System Process and Registry Run Keys / Start Folder techniques. Data Exfiltration and Command and Control Data exfiltration is a core function of Vortax’s infostealers. The malware communicates with command and control (C2) servers to transmit the stolen information. This communication is encrypted to obfuscate the data being sent, making detection and interception challenging. Techniques such as Exfiltration Over Command and Control Channel and Encrypted Channel are utilized to ensure that the stolen data is securely transmitted to the threat actor. The C2 infrastructure used by Vortax allows it to receive further instructions, facilitating ongoing data collection and management of infected systems. Conclusion The Vortax malware campaign highlights the growing sophistication of cyber threats targeting macOS users. By disguising itself as legitimate software and deploying advanced infostealers, Vortax represents a significant threat to data security. Understanding its operational mechanisms provides crucial insights into how such malware functions and underscores the importance of robust security measures to defend against these evolving threats. As the cybersecurity landscape continues to develop, vigilance and proactive defenses remain essential in mitigating the risks posed by sophisticated malware like Vortax.

MITRE Tactics and Techniques

Initial Access (TA0001) Tactic: Malware is distributed through deceptive virtual meeting software, leading users to download and install the malicious application. Techniques: Drive-by Compromise (T1189): Users are tricked into downloading the malware through malicious websites or misleading software updates. Software Deployment Tools (T1074): The malware is presented as legitimate software to gain initial access. Execution (TA0002) Tactic: Once installed, Vortax executes its payload to deploy infostealers on the victim’s system. Techniques: Command-Line Interface (T1059): Execution of commands or scripts to install and run the infostealers. Scheduled Task/Job (T1053): The malware may use scheduled tasks to maintain persistence. Persistence (TA0003) Tactic: Vortax ensures its persistence on infected systems to maintain access over time. Techniques: Create or Modify System Process (T1543): The malware may modify system processes or configurations to ensure it remains active. Registry Run Keys / Start Folder (T1060): Potential modification of registry keys or startup folders to persist through reboots. Exfiltration (TA0010) Tactic: The infostealers extract sensitive data from the victim’s system. Techniques: Exfiltration Over Command and Control Channel (T1041): The malware communicates with C2 servers to transmit stolen information. Data Staged (T1074): Staging data for later exfiltration to avoid detection. Command and Control (TA0011) Tactic: The malware uses C2 infrastructure to receive instructions and exfiltrate data. Techniques: Application Layer Protocol (T1071): Communication with C2 servers using HTTP/S or other application protocols. Encrypted Channel (T1573): Use of encryption to obfuscate communication with C2 servers. Credential Access (TA0006) Tactic: The malware specifically targets and steals credentials from infected systems. Techniques: Credential Dumping (T1003): Extraction of user credentials stored on the system. Input Capture (T1056): Capturing keystrokes or other input methods to gather login credentials.
References
  • The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications
Tags: AMOSdropperINSIKT GROUPMacOSMalwareMitre ATT&CKRhadamanthysVortax
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial