Fake Meeting Apps Targeting Web3 Professionals: How ‘Meeten’ Malware Steals Crypto and Sensitive Data

Cyber Strategy Institute
4 min readDec 6, 2024

--

Analysis of the “Meeten” Malware Campaign Targeting Web3 Professionals

Don’t forget you can vote up to 50-times a day for your favorite articles. We accept more than 1-vote.

The “Meeten” malware campaign represents a highly targeted and sophisticated operation aimed at professionals in the Web3 and cryptocurrency space. Cybercriminals are luring victims through fake business meeting applications, leading to credential theft and financial losses, primarily focused on cryptocurrency assets. Below is an in-depth review of the threat, its methodologies, and how users can protect themselves.

How the Attack Works

1. Initial Contact: Victims are approached through social engineering on platforms like Telegram, Discord, or email. Attackers impersonate trusted contacts or leverage shared interests in business opportunities, sometimes using detailed insider knowledge of the victim’s work.

2. Redirect to Fake Websites: Victims are directed to a website that mimics legitimate meeting platforms. These websites, like “Meeten,” “Clusee,” “Cuesee,” and others, host malicious meeting software for Windows and macOS. They often use AI-generated content and social media profiles to appear authentic.

Website spreading Realst stealer (Source: Cado Security Labs)

3. Installation and Infection:

  • macOS: Victims download a file, typically named CallCSSetup.pkg. The malware tricks users into granting system-level access by requesting their macOS password. After claiming an error like "Cannot connect to server," the malware remains operational in the background.
  • Windows: Victims install an NSIS-based executable (e.g., MeetenApp.exe) signed with stolen certificates. The malware uses obfuscated JavaScript to evade detection and persist between reboots.

4. Data Exfiltration: The malware, often a version of “Realst stealer,” collects sensitive data, including:

  • Cryptocurrency wallet credentials (Ledger, Trezor, Phantom, Binance, etc.).
  • Banking details and web browser autofill information from Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc, and Vivaldi.
  • Telegram credentials.
  • macOS Keychain data. The data is packaged, encrypted, and sent to remote command-and-control servers.

5. Wallet Draining via JavaScript: Even before downloading malware, the website may execute JavaScript to compromise browser-based crypto wallets by stealing private keys or initiating unauthorized transactions.

Comparisons to Previous Campaigns

The Meeten malware campaign mirrors tactics seen in earlier campaigns like those involving “Vortax” or other infostealers distributed through Web3 lures. These campaigns similarly leverage social engineering and fake legitimacy through AI content. However, Meeten stands out due to:

  • Cross-platform targeting (Windows and macOS).
  • Pre-download JavaScript wallet draining capabilities.
  • Sophistication in mimicking legitimate business communications
  • Coinlive
  • Bitget
  • Rhyno Cybersecurity

How Warden Can Mitigate This Threat

Warden, with its Default Deny technology and Kernel API Virtualization, offers robust defenses against such threats:

  1. Default Deny: Prevents unauthorized software from executing, blocking malicious meeting apps before they can infect the system.
  2. Real-Time File Scanning: Detects malware signatures and anomalous behavior in downloads like CallCSSetup.pkg or MeetenApp.exe.
  3. Kernel API Virtualization: Protects sensitive processes and data, including cryptocurrency wallets and browser autofill credentials, from unauthorized access or exfiltration.
  4. Network Traffic Monitoring: Identifies and halts malicious connections to command-and-control servers, stopping data exfiltration.
  5. Social Engineering Defense: Helps administrators set policies to restrict the installation of non-verified software, minimizing human error risks.

Best Practices to Stay Safe

  1. Verify Software Authenticity: Cross-check any software’s legitimacy before downloading. Use trusted antivirus tools like VirusTotal to scan files.
  2. Be Wary of Social Engineering: Treat unsolicited communication with skepticism, especially if it involves business opportunities or urgent actions.
  3. Enable Two-Factor Authentication (2FA): Secure cryptocurrency wallets and online accounts with robust authentication.
  4. Restrict Admin Rights: Avoid entering system credentials unless absolutely necessary.
  5. Monitor Browser Extensions and Scripts: Use browser security tools to block unauthorized scripts.

By maintaining vigilance and leveraging solutions like Warden, individuals and organizations in the Web3 space can significantly reduce their risk of falling victim to such sophisticated campaigns. Let me know if you’d like detailed recommendations or further insights!

Thanks for getting this far in our article. Don’t forget that you can vote up to 50-times a day for your favorite articles on Medium. We accept more than 1-vote, as it helps us spread the Cybersecurity insights into Crypto. The more people that see this information, the more people we can help. We should share information about criminals and scammers to help protect each other, just like we pick up stray trash and put it in the trash can.

Further Resources about Cyber Strategy Institute:

If interested in other analysis, checkout our other Medium articles, our Indpeth Analysis Articles and for more of a daily understanding of the Cryptoverse follow our Twitter account. Relying on a dying Cybersecurity model is not a foundation for success; that is what Warden changes for the good!

Warden

It is designed leveraging a Zero Trust model, stopping all known bad and unknown malicious threats. This starts by defending at the kernel level, so that any software does not know it’s been placed into a sandbox. We call this the “Inception Protection” model, which will not allow any program to impact your systems. No other system can do this on the market today. Protect your digital life, your families or your organization today with Warden!

If you want a 50% Discount on your purchase, then sign up for our newsletter, and we will send you the code for your support. Just reply to your first email saying you would like a discount.

Cyber Strategy Institute

Medium: https://cyberstrategy1.medium.com/

Twitter: https://twitter.com/CyberStrategy1

X: https://x.com/Warden_Secure

Website: https://cyberstrategyinstitute.com

Protect Yourself, Family or Business Today with Warden!

https://cyberstrategyinstitute.com/personal-protection-warden

--

--

Cyber Strategy Institute
Cyber Strategy Institute

Written by Cyber Strategy Institute

Crypto Security Truths - Scam Hunter, ZeroTrust Endpoint Defense & writing about all things Crypto Security. Stay up-to-date on latest Threats by following us!

No responses yet