Russian cybercrime group Crazy Evil, whose activities are focused primarily on stealing digital assets, uses various phishing lures to trick its victims into installing malware such as StealC, Atomic macOS Stealer (also known as AMOS), and Angel Drainer. Targeting both Windows and macOS users.
Russian cybercrime group Crazy Evil, whose activities are focused primarily on stealing digital assets, uses various phishing lures to trick its victims into installing malware such as StealC, Atomic macOS Stealer (also known as AMOS), and Angel Drainer. Targeting both Windows and macOS users.
Crazy Evil has been active since at least 2021. It is primarily a group of traffickers that redirect legitimate traffic to malicious landing pages operated by other criminal groups. The group is believed to be run by an entity known on Telegram as @AbrahamCrazyEvil, who has over 4,800 followers on @CrazyEvilCorp, пише The Hacker News.
Crazy Evil focuses on stealing digital assets, including NFTs, cryptocurrencies, payment cards, and bank accounts online. According to Insikt Group Recorded Future, the criminal group has made over $5 million and hacked tens of thousands of devices worldwide.
In addition to organizing attack chains that ensure information theft and wallet exfiltration, the group’s administrators claim to offer instructions and guidance to their travers and crypters for malicious payloads, and also boast a partnership structure for delegating operations.
Crazy Evil is the second cybercriminal group after Telekopye to be exposed in recent years, and it focuses its activities around Telegram.
Newly recruited members are redirected by a Telegram bot controlled by the threat actor to other private channels: Payments, Logbar, Info, and Global Chat.
The cybercriminal group was identified as consisting of six subgroups: AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, each of which engages in a specific type of fraud that involves tricking victims into installing the tool from fake websites.
«As Crazy Evil continues to succeed, other cybercriminals are likely to emulate their methods, forcing security teams to remain constantly vigilant to prevent large-scale breaches and the erosion of trust in the cryptocurrency, gaming, and software sectors,» Recorded Future noted.
A cybersecurity firm recently uncovered a Traffic Distribution System (TDS) called TAG-124, which consists of a network of compromised WordPress sites. If visitors meet certain criteria, the compromised WordPress websites display fake Google Chrome update landing pages, which ultimately lead to malware infection.
Over 10,000 compromised WordPress sites were also discovered, acting as a distribution channel for AMOS and SocGholish in what was described as a client-side attack.
«JavaScript loaded into the user’s browser generates a fake page in an iframe,» says researcher Himanshu Anand. «The attackers are using outdated WordPress versions and plugins to make it harder to detect websites that don’t have client-side monitoring tools.»
Additionally, attackers are exploiting the trust in popular platforms like GitHub to host malicious installers, leading to the deployment of Lumma Stealer and other malware like SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.
«The distribution method of Lumma Stealer continues to evolve, and the attacker is now using GitHub repositories to host the malware,» security researchers note. «The MaaS (malware-as-a-service) model provides attackers with a cost-effective and affordable means to conduct sophisticated cyberattacks and achieve their malicious goals, making it easier for threats like Lumma Stealer to spread.»
