Fake Meeting Software Spreads macOS Infostealer

Insikt Group, cybersecurity provider Recorded Future’s threat intelligence service, has observed a widespread malicious campaign targeting cryptocurrency users and involving Vortax, a fake virtual meeting software.

Vortax has a presence on social media and is marketed as a cross-platform and in-browser enterprise-focused alternative to other video chat services that leverages artificial intelligence to generate meeting summaries and action items and suggest questions or comments with its “MeetingGPT” product.

It maintains a Medium blog (medium[.]com/@vortax) with approximately 22 suspected AI-generated articles published between December 7 and 16, 2023. On X (formerly Twitter), the Vortax account even has a gold tick, meaning it is designated as a ‘Verified Organization.’

However, once installed, Vortax delivers three information stealers (infostealers) in cross-platform attacks (Rhadamanthys, Stealc and Atomic macOS Stealer, or AMOS) in an extensive campaign aimed at cryptocurrency theft.

The third infostealer, AMOS, is of particular importance to the researchers because it’s a rare occurrence of a macOS infostealer, which is less common than its Windows counterparts.

Rise in macOS Infostealers

Upon further investigation of the Vortax application, its network of associated accounts, and the malware it deployed, Insikt Group identified 23 other malicious macOS applications masquerading as legitimate. Most of these were targeting virtual meeting software and cryptocurrency users.

Insikt Group researchers also identified connections between the Vortax campaign and a previous infostealer campaign targeting web3 gaming projects.

“Based on these findings, we are confident that the two campaigns are affiliated with the same threat actor – previously identified by Insikt Group as using the AMOS UserID ‘markopolo’,” the researchers wrote.

“This scaled campaign is likely indicative of a widespread credential harvesting operation, which could imply that markopolo acts as an initial access broker (IAB) or ‘log vendor’ on a dark web shop, such as Russian Market or 2easy Shop; however, we have no evidence to make that assessment, as of this writing.”

In the previous report, Insikt Group also observed that mentions of macOS malware and exploit kits increased by 79% between 2022 and 2023 – a trend likely accelerated by increased use of the AMOS infostealer.

“Given its tight-knit community, we assess that other operators of AMOS will likely model future campaigns after the success of markopolo. This may result in a wider proliferation of AMOS in the wild, accompanied by diverse and wide-ranging campaigns attributed to individual threat actors, exacerbating the long-term threat of a less secure landscape for macOS users,” the researchers concluded.

Mitigation Recommendations

In its new Insikt Group report, Recorded Future shared a list of measures that would help mitigate the Vortax campaign and associated threats. These include:

• Ensure that detection systems for AMOS are regularly updated to prevent infections
• Educate users on the risks of downloading unapproved software, especially from social media or search engines
• Implement strict security controls to prevent the download of unlicensed software
• Encourage users to report suspicious activities encountered on social media and other platforms