Russian hackers spread GrassCall malware to drain crypto wallets via fake job postings

As part of a social engineering campaign, hackers are reportedly sending fake job offers to job seekers in the web3 space with malicious intentions. A dubious meeting app called ‘GrassCall’ was recently used to spread malware that drains the user’s crypto wallets.

The fraud is allegedly carried out by a Russian hacker team known as “Crazy Evil.” This group of cybercriminals specializes in social engineering attacks that trick users into installing infected software on their Mac and Windows PCs. 

Crazy Evil commonly targets people in the crypto space, where they promote fake job opportunities and games via various social media websites. A cybersecurity company, Recorded Future, said that it has connected “over ten active scams on social media” to Crazy Evil.

Hackers posted fake jobs for a sham company called ChainSeeker.io

More recently, reports of another fake scam company surfaced. This time, the company was called ChainSeeker.io, according to an X user. 

According to the reports, threat actors created fake company profiles for ChainSeeker.io on LinkedIn, where they have been sending out premium job listings. Other popular job boards where the fake listing was spotted include CryptoJobList, and WellFound. 

All those who applied for the jobs were contacted via email, which instructed them to contact the company’s marketing chief on Telegram. 

The chief would then request the user download a video calling app named ‘GrassCall’ from a now-deleted website. Depending on the user’s browser, the website would offer them a Mac or Windows client.

After downloading the app, users are asked to enter a code shared by the CMO in the Telegram chat. The website then either provides a Mac “GrassCall_v.6.10.dmg” [VirusTotal] client or a Windows “GrassCall.exe” client [VirusTotal] client. Once the correct code is entered, both apps install an info stealer, like Rhadamanthys (on Windows), remote access trojans (RATs), or other malware. On Macs, the Atomic (AMOS) Stealer malware gets installed.

Once installed, the virus collects wallet addresses, authentication cookies, and passwords stored in the online browser and Apple Keychain. The stolen information gets uploaded to a server and gets posted on Telegram channels owned by the malicious actors. 

If a wallet is found, the hackers use a brute force method to crack the passwords and drain the user’s assets. From these assets, the hackers pay out the user who made the unsuspecting victim download the malicious app.

According to publicly released payment information, Crazy Evil members apparently earn tens of thousands of dollars per victim.

Various users have recounted their experiences after applying to such scam job postings. Cristian Ghita, a LinkedIn user, posted on the platform, “It looked legit from almost all angles. Even the video-conferencing tool had an almost believable online presence.”

The hackers have reportedly moved on to a social engineering new campaign

Cybersecurity researcher, Gonjxa, has also identified dubious meeting apps called Gatherum, and VibeCall. Gatherum was used in previous campaign by a subgroup of Crazy Evil called “Kevland.” Interestingly, both apps’ branding is pretty much identical to GrassCall. Now, the scammers have moved on to their new campaign with VibeCall, which is currently being circulated among Web3 job seekers.

In response to the attention this attack received online, Chain Seeker’s job postings have now reportedly been taken down by most of the job boards. 

LinkedIn search results do not return any job posts linked to Chainseeker.io anymore. At the same time, its website has been flagged in community databases for being suspicious. Furthermore, LinkedIn accounts of the company’s employees have all been deleted. Users who have already interacted with scammers or installed suspicious apps on their devices are advised to change their passwords and authentication tokens and move their crypto to fresh wallets as a precautionary measure. It is also recommended to turn on two-factor authentication via an authentication app on all websites that support this feature.