GrassCall malware campaign drains crypto wallets via fake job interviews

A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets.

Hundreds of people have been impacted by the scam, with some reporting having their wallets drained in the attacks.

A Telegram group has been created to discuss the attack and for those impacted to help each other remove the malware infections from Mac and Windows devices.

The GrassCall social engineering attack

The campaign was conducted by a Russian-speaking "traffer team" known as Crazy Evil. This group conducts social engineering attacks to trick users into downloading malicious software on their Windows and Mac devices.

This cybercrime group is known for targeting users in the cryptocurrency space, where they promote fake games or job opportunities over social media.

Users are tricked into installing software that deploys information-stealing malware on devices that can be used to steal passwords, authentication cookies, and wallets from the compromised computer.

In a conversion with Choy, a web3 professional who was targeted by the social engineering attack, BleepingComputer was told that the threat actors created an elaborate online persona consisting of a website and social media profiles on X and LinkedIn where they pretended to be a company named "ChainSeeker.io".

The threat actors then proceeded to take out premium job listings on LinkedIn, WellFound, and CryptoJobsList, one of the more popular job sites for Web3 and blockchain careers.

People who applied for the jobs were sent an email containing an interview invite, where they would meet with the Chief Marketing Officer. The targets were prompted to reach out to the CMO via Telegram to coordinate the meeting.

When contacted, the fake CMO would tell the target that they needed to download a video meeting software called "GrassCall" using the included website and code.

The GrassCall software was downloaded from "grasscall[.]net," and would offer either a Windows or Mac client depending on the visitor's browser user agent.

Cybersecurity researcher g0njxa, who has been tracking these threat actors, told BleepingComputer that the GrassCall website is a clone of a "Gatherum" website used in a previous campaign. The researcher says these websites are utilized as a part of social engineering attacks conducted by a Crazy Evil subgroup known as "kevland," which is also described in a report by Recorded Future.

"Gatherum is a self-proclaimed AI-enhanced virtual meeting software that is primarily advertised on social media (@GatherumAI) and an AI-generated Medium blog (medium[.]com/@GatherumApp)," explains a Recorded Future report on the Crazy Evil cybercriminals.

"Traffers assigned to Gatherum are provided with a manual for working the scam. Gatherum is managed by Crazy Evil subteam KEVLAND, tracked internally by Insikt Group as CE-6."

When visitors attempt to download the GrassCall app, they will be prompted to enter the code shared by the fake CMO in the Telegram conversion.

Entering the correct code, the website will either offer a Windows "GrassCall.exe" client [VirusTotal] or a Mac "GrassCall_v.6.10.dmg" [VirusTotal] client. When executed, both programs will install information-stealing malware or remote access trojans (RATs).

While it is unclear what information-stealing malware is dropped by the Windows client, the Mac version will install the Atomic (AMOS) Stealer malware.

When executed, the malware will attempt to steal files based on keywords, cryptocurrency wallets, passwords stored in Apple Keychain, and passwords and authentication cookies stored in web browsers.

G0njxa told BleepingComputer that the stolen information is uploaded to the operation's servers, and information about what was stolen is posted to Telegram channels used by the cybercrime enterprise.

"If a wallet is found, passwords are bruteforced and assets drained, and a payment is issued to the user who made the victim download the fake software," the researcher told BleepingComputer.

The researcher says the payment information for Crazy Evil members is publicly posted to Telegram, revealing that members of this operation can make tens, if not hundreds, of thousands of dollars for each victim they successfully drain.

In response to the attacks, CryptoJobsList removed the job listings and warned those who applied that they were a scam and to scan their devices for malware.

Due to the public attention to this scam, the threat actors appear to have terminated this particular campaign, with the website no longer available.

However, for those who mistakenly installed the software, it is imperative that you change the passwords, passphrases, and authentication tokens for every website you visit and cryptocurrency wallets you own.

Cybersecurity researcher MalwareHunterTeam, who has also been tracking these campaigns, told BleepingComputer that Crazy Evil has launched a new campaign pretending to be an NFT blockchain game called Mystix.

Like other campaigns by these threat actors, the game targets those in the crypto space and utilizes similar malware to steal cryptocurrency wallets.