Full Report
A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets. [...]
Analysis Summary
# Incident Report: GrassCall Fake Job Interview Crypto Drain Scam
## Executive Summary
Attackers, identified as the "Crazy Evil" cybercrime enterprise, conducted a sophisticated phishing and malware distribution campaign targeting cryptocurrency users under the guise of legitimate Web3 job interviews hosted by the fake company "GrassCall." Initial access was achieved by tricking victims into downloading and executing proprietary client software (Windows or Mac), which installed information-stealing malware, including Atomic Stealer on macOS, leading to the theft of cryptocurrency wallets, saved passwords, and browser data. The operation successfully drained assets, with payments publicly posted on Telegram channels, though the initial campaign appears to have terminated following public disclosure.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reported after tracking by cybersecurity researchers (G0njxa, MalwareHunterTeam).
- **Incident Date:** Ongoing activity surrounding the fake job listings.
- **Affected Organization:** Individuals seeking Web3 employment listing jobs on platforms like CryptoJobsList.
- **Sector:** Cryptocurrency/Web3 employment and finance.
- **Geography:** Global, targeting crypto users.
## Timeline of Events
### Initial Access
- **Date/Time:** Concurrently with job postings (timing not specified).
- **Vector:** Phishing/Social Engineering via fake job interviews.
- **Details:** Attackers leveraged job boards (e.g., CryptoJobsList) to find targets looking for Web3 roles. Victims were instructed to download and run a fake hiring client, "GrassCall\_v.6.10.exe" (Windows) or "GrassCall\_v.6.10.dmg" (Mac).
### Lateral Movement
- Not explicitly detailed as the malware was focused on local system compromise and data harvesting rather than network pivoting.
### Data Exfiltration/Impact
- **Details:** Stolen information (files matching keywords, cryptocurrency wallet credentials, Apple Keychain data, browser passwords, and authentication cookies) was uploaded to the operation's servers. Information regarding successful drains was posted to the perpetrators' Telegram channels.
### Detection & Response
- **Detection Method:** Tracking by independent security researchers (G0njxa, MalwareHunterTeam).
- **Response Actions:** CryptoJobsList removed the fraudulent job listings and warned applicants. The public attention appeared to lead the threat actors to terminate the specific GrassCall website/campaign.
## Attack Methodology (Inferred from Malware Functionality)
- **Initial Access:** Social Engineering, Direct Download of malicious client software.
- **Persistence:** Not detailed, but likely established via the installed malware/RAT components.
- **Privilege Escalation:** Not explicitly detailed, but required to access full system data (e.g., Keychain).
- **Defense Evasion:** Use of seemingly legitimate application installers for execution.
- **Credential Access:** Target application configuration/storage (Apple Keychain, web browsers).
- **Discovery:** Malware scanned files based on keywords and targeted cryptocurrency wallet locations.
- **Lateral Movement:** Not the primary focus; targeted endpoint compromise.
- **Collection:** Stealing files, passwords, cookies, and wallet configurations.
- **Exfiltration:** Uploading stolen data to attacker-controlled servers, often reported via Telegram.
- **Impact:** Financial theft via draining cryptocurrency wallets through bruteforced passwords.
## Impact Assessment
- **Financial:** Significant, as individual successful hits reportedly netted attackers "tens, if not hundreds, of thousands of dollars" per victim.
- **Data Breach:** Cryptocurrency wallet keys/passwords, system passwords, authentication cookies, and general user files.
- **Operational:** Disruption and financial loss for targeted individuals.
- **Reputational:** Damage to legitimate job platforms where listings were posted.
## Indicators of Compromise
- **Network Indicators:** Communications to attacker-controlled upload servers (Specific IPs/Domains not listed, but necessary for follow-up).
- **File Indicators:**
- Windows Client: `GrassCall_v.6.10.exe`
- Mac Client: `GrassCall_v.6.10.dmg`
- Mac Payload: Atomic (AMOS) Stealer malware.
- **Behavioral Indicators:** Unauthorized execution of downloaded software masquerading as employment tools; sudden draining of cryptocurrency wallets following software installation; network uploads post-execution.
## Response Actions
- **Containment:** CryptoJobsList removed job listings. Victims were urged to change all passwords, passphrases, and authentication tokens immediately.
- **Eradication:** For affected users: Scanning devices for malware/RATs, changing credentials across all affected services (especially crypto wallets).
- **Recovery:** Users must secure wallets and re-secure systems potentially infected with Atomic Stealer or the unknown Windows infostealer.
## Lessons Learned
- **Key Takeaways:** Social engineering remains highly effective, especially when tied to high-value targets (Web3 employment). Attackers are willing to execute complex operations (bruteforcing passwords post-theft) to maximize financial gain.
- **What could have been done better:** Job platforms should implement stricter vetting for high-sensitivity industries like crypto/blockchain. Users must treat unsolicited executables from job interviews with extreme skepticism.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. **Endpoint Security:** Enforce strict application whitelisting; do not run unsolicited executables received via job applications.
2. **Credential Hygiene:** Implement multi-factor authentication (MFA) everywhere. Store sensitive seed phrases and private keys offline, never within accessible application files or browser storage.
3. **Platform Vetting:** Job boards must aggressively monitor and report suspicious hiring activity related to crypto roles.
4. **Security Awareness:** Train job seekers to recognize that legitimate Web3 companies rarely require the download of proprietary executable clients for initial interviews.