Cado Security Labs has identified a Realst info-stealer that uses a fake meeting app to steal crypto wallets and inject malware. The scammers are tricking web3 workers into downloading an app, which has been called Meeten, Meetio, Meeten.gg, Meeten.us, Meetone.gg, Cluesee.com and Cuesee — it changes names frequently.
The threat actors use AI to generate and fill out blogs, websites and social media accounts on X and Medium to appear as legitimate companies before contacting targets and prompting them to download the app.
Once downloaded, the malware will search out sensitive information, including banking card details, Telegram logins, and information on crypto wallets – specifically Ledger, Trezor, Phantom and Binance wallets, which it sends back to the attackers. It can also search for browser cookies and autofill credentials from Google Chrome, Microsoft Edge and Opera, Brave, Arc, CocCoc and Vivaldi.
One user was contacted by someone impersonating an acquaintance who then sent an investment presentation from the target’s company to the target; others have reported being on calls related to web3 works and being instructed to download the software.
Increasingly, AI is being used to generate content for malware campaigns. According to Cado Security Labs, threat research lead Tara Gould, “Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams and makes it more difficult to detect suspicious websites.”
These fake websites, which prompt victims to download malware instead of legitimate software, also contain JavaScript that can steal crypto wallets stored in web browsers – and that’s before it installs malware. According to Paul Scott, Solutions Engineer at Cado Security, “If a user has their wallet unlocked in their browser and visit a malicious website, the JavaScript on the site automatically checks if there are unlocked wallets present and will attempt to transfer crypto coins to a wallet the attacker controls.”
This campaign has been active for at least four months, has both macOS and Windows variants and appears to be a variant of the Realst infostealer first discovered in 2023 by security researcher iamdeadlyz.
How to stay safe
The researchers advise users to be careful when being approached about business opportunities — especially through Telegram. Even if the contact appears to be an existing, known contact, it is essential to verify the account. Always be diligent when opening links.
Never open anything from someone you don't know or are not expecting. If you receive a link, contact the sender and ask them if they've sent it and why. If they've sent something in Telegram and usually contact you in Slack, contact them on the platform where you typically discuss business.
Make sure you're using one of the best antivirus software and that it's current and up-to-date. Use a secure browser if one is available, too.
