By Michael Scott
Russian-based cybercrime group Crazy Evil deploys sophisticated engineering targeting to drain crypto from unsuspecting job seekers.
Crazy Evil deployed the social engineering weekend targeting job seekers within the Web3 and cryptocurrency spaces, per a recent BleepingComputer report.
The report details how the Web3 job fell victim to a wallet-draining scam orchestrated by a Russian-speaking platform. Despite the challenging economic period, the report warns that scams have become normal.
Scammers Preying on Job Seekers
One of the Crazy subgroups, identified as KEVLAND, reportedly developed a fake website named ChainSeeker.io. The platform utilized fake identities to advertise fake premium listings for Web3 on WellFound, CryptoJobsList, and Linkedln.
Upon submitting their applications, the job seekers were served with an email directing them to a falsified chief market officer (CMO) on the Telegram platform. The said CMO directed the victims to download the phony video meeting application identified as GrassCall, which was accessed via the malicious website grass[.]net.
The GrassCall app would launch a dual-pronged malware attack when the victims download it. It adapts to the victim’s operating system with Rhadamanthus RAT and infostealers targeting Windows users. This granted the attackers remote access and the capability to exfiltrate data.
The actors targeted the Mac users with the Atomic (AMOS) Stealer. This constitutes a potent malware uniquely designed to compromise the macOS systems.
The actors leveraged the installed malware to steal private information targeting crypto wallets, Apple keychain data, authentication cookies, passwords, and files storing passwords. The app updated the stolen data to the attackers’ servers for later sharing within the actors’ Telegram channels.
The attackers would then lodge attempts to brute-force passwords to drain funds where they found crypto wallets. The platform would then compensate members who successfully installed malware on the target victim’s machine.
Actors Scheme
Scrutiny into the GrassCall website led to the discovery that the platform lacks originality. Instead, the group cloned the Gatherum site. Additionally, the attackers impersonated real individuals for the nonexistent leadership of ChainSeeker.io.
While the job listings are no longer available on the job boards, one remains active on LinkedIn. One LinkedIn user, Cristian Ghita, considers the scam well-orchestrated, considering the group had a live website, employees, X, and LinkedIn profiles.
Scrutiny into the scheme shows the nature of the operation, with dozens of victims admitting to a similar experience on their social media platforms. A significant number incurred huge financial losses as their crypto holdings were drained.
The security experts urged the victims to change passwords on the uninfected devices. Also, the experts urge users to consider crypto transfer to new and secure wallets.
In their observation, threat intelligence firm Recorded Future warned that gaming professionals, crypto, and NFT holders constitute the prime targets for such attack types.
Crazy Evil has in the past targeted the crypto and Web3 ecosystems by deploying sophisticated social engineering tactics alongside distributing malware. The group runs additional fine subteams, including ZoomLand, DEF, Avland, Typed, and Kevland.
Investigators attribute the group to being a specialist in identity fraud, distributing information, stealing malware, and crypto theft. Notably, Crazy Evil targets high-value victims, among them gaming, tech, and crypto influencers.
Threat to Windows and MacOS Systems
Crazy Evil poses a threat to Windows and MacOS systems by deploying a range of malware tools. Investigators have identified Steal C, Angel Drainer, and Amos as the primary malware it deploys.
Per Recorded Future report, the Crazy Evil ground has since 2021 executed 10 active scams leveraging social media. The usual approach is luring targets by installing malware, as witnessed with the recent one to nab job seekers.
The incident emerged when the US Federal Bureau of Investigation (FBI) consistently warned against crypto job scams. They aim to lure individuals hunting for employment opportunities. Others are urging victims to make crypto payments.
The authorities highlight scammers offering unusually high compensation for simple tasks. Such involves asking victims to accept crypto payments. While the jobs seem legitimate, they instead constitute part of the larger money laundering scheme.
The federal authorities urge individuals to exercise caution when presented with unsolicited job offers and resist crypto payments to parties portraying themselves as employers. Lastly, they invited individuals to report suspicious schemes to the agency.