CTI Roundup: Vortax Spreads Infostealer Malware, Linux Malware Uses Emojis to Execute Commands

This week, CTI looks at Vortax — a newly identified, self-proclaimed virtual meeting software that delivers infostealers. Next up, CTI inspects a campaign that distributes malware via fake Chrome, Word, and OneDrive error messages. CTI wraps up with an overview of DISGOMOJI, a Linux malware that uses Discord for its C2 and leverages emojis to execute commands on infected devices.

1. Vortax spreads infostealer malware

Recorded Future has identified a virtual meeting software called Vortax which delivers three infostealers during installation. The extensive campaign is carried out by a threat actor called “markopolo” and delivers Rhadamanthys, Stealc, and the Atomic macOS Stealer (AMOS).

AMOS is not often seen in the wild, which makes this campaign stand out. Recorded Future’s investigation into the Vortax application led them to the discovery of 23 other malicious macOS applications that all use the same C2 infrastructure.

What is Vortax?

Vortax is a self-proclaimed virtual meeting software advertised as a “cross-platform and in-browser enterprise-focused alternative.” It claims to leverage artificial intelligence to create meeting summaries and suggest questions.

• Vortax is currently indexed by all major search engines, is active on social media, and maintains a blog on Medium.
• The software also claims to have a physical location in Toronto, but the address listed is the address of an apartment building.
• At first glance, Vortax appears to be a legitimate software company, especially with its claim to have gotten awards from Forbes and endorsements from big-name companies like Uber. An investigation into the software revealed no such evidence to support these claims.
• Its official websites are full of grammatical errors.

Vortax marketing

As noted, Vortax markets itself on social media and its own sites. It claims to have applications for Windows, Linux, macOS, iOS, and Android.

To download the software users must have a “Room ID” which they have to obtain via a meeting invitation. These IDs are typically spread in four ways including direct messages sent from social media accounts, replies to the Vortax account on social media, posts in crypto-related Telegram channels, and posts in crypto-themed Discord channels.

Downloading Vortax

When a user enters the Room ID into a Vortax website, they are redirected to a Dropbox site if they are on Windows and redirected to an external site if on macOS. Either way, the Vortax installer will download.

The installer will deliver Rhadamanthys and Stealc malware to Windows users and AMOS to macOS users. The app will also give the user a popup claiming that it ran into a “critical error” and that it cannot run. Meanwhile, several malicious processes run behind the scenes.

Malicious network overlaps

Recorded Future took a closer look at domains hosted on the same IP address and discovered other domains hosting malicious applications that also deliver AMOS.

Further research into these applications uncovered similar scams to Vortax, leading them to believe that markopolo is operating multiple scams.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This campaign is a twist on the cracked software campaigns that have been going on for quite some time. Instead of spoofing legitimate and known software, this actor creates their own software and hopes that users will be interested in installing it. The actor’s false claims could easily trick users into thinking Vortax is legitimate. However, any additional research would likely raise a level of skepticism.

As this example demonstrates, it’s important for employees to only install approved software. And when it comes to personal software, end users must understand what they are installing and take the time to research and confirm legitimacy.

Recorded Future points out that the malware distributed in this campaign, AMOS, is not often used in the wild. This activity also brings to light how difficult it is to track these types of infostealer campaigns.

2. Malware campaign distributes fake error messages

A new campaign is distributing malware via fake Google Chrome, Microsoft Word, and OneDrive error messages. Each error message attempts to trick users into running a malicious script that installs malware on their machine.

ClearFake activity

Proofpoint first discovered this technique in April 2024 and have noticed it in every ClearFake campaign since. For context, ClearFake is an activity cluster that typically leverages fake browser updates to compromise websites. In these campaigns, when a user visits one of these compromised sites, the site will load a malicious script via EtherHiding which will run a secondary script. If the user remains on the site, they will then see a fake warning message instructing them to install a root certificate in order to view the website without errors.

The message that is displayed to the user instructs them to manually run a script on their machine. This script will flush DNS cache, clear clipboard content, and download and execute a PowerShell script in memory.

The second script downloads a third script that checks if it is operating in a virtual environment. If not in a virtual environment, it will download a ZIP file, execute its content, and inform the ClearFake C2 that installation was successful. As part of this process, it sideloads a trojanized DLL to load the Lumma Stealer malware, which will carry out its stealer activities and download additional payloads.

ClickFix activity

In April, Proofpoint identified several compromised sites that led to an iframe. The iframe appears to users as a message that something has gone wrong, and that the browser needs to be updated for the problem to be corrected. This activity has been called “ClickFix.”

Again, the message displayed to the user tries to get them to copy and paste a malicious script. In this case, it would result in the installation of Vidar Stealer. A few days after this initial discovery, researchers discovered that the iframe content was replaced with the ClearFake inject that was discussed previously.

TA571 activity

An actor tracked as TA571 has been using this technique since at least March 1, 2024. In that campaign, over 100,000 email messages were sent. The emails include an HTML attachment that looks like a Microsoft Word document. Upon opening them, the user will see an error message that the “Word Online” extension is not installed and is presented with options to fix the issue.

If the user selects the “How to fix” option, a PowerShell script copies to the clipboard and the message changes to instructions on how to run that script manually. If the user selects the “Auto-fix” option, Windows Explorer is opened, and a WebDAV-hosted file displays to the user.

This actor has used this technique for the past few months, switching up the visual lures. In some cases, the actor used an HTML attachment that looked like a document hosted on OneDrive and contained a different fake error message.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This is not the first time we’ve seen a threat actor use a technique in which they essentially ask the user to copy and paste a script to infect their own machine.

This technique seems to be becoming more popular and helping threat actors deliver a range of malware. This popularity makes a lot of sense because the threat actor does not need to be incredibly mature or sophisticated and instead relies on the victim to do the heavy lifting.

Security teams should train and educate end users to avoid running scripts unless directed by a legitimate IT help desk.

3. Linux malware uses emojis to execute commands

According to Volexity, a newly discovered Linux malware called DISGOMOJI uses Discord for its C2 and leverages emojis to execute commands on infected devices.

This malware is specifically for Linux systems and targets organizations that are known to use Linux distributions. The malware is believed to be linked to a Pakistan-based actor tracked as UTA0137.

Volexity’s analysis began with an ELF binary written in Golang that was delivered inside a ZIP file. The binary starts by downloading a benign PDF lure, so the victim has something to view that is seemingly legitimate.

In the background, the malware will download an instance of DISGOMOJI, the next stage payload from a remote server. This payload drops into a hidden folder and creates a dedicated channel in the Discord server so that each victim has their own channel. It will gather and send information about the victim to the channel and maintain persistence via cron.

This malware will also execute a script that checks for any connected USB devices and copies files from those devices.

Emojis are sent in the created channels to send commands to the malware. In response, a clock emoji is sent to acknowledge that the command is being processed and a check mark emoji is sent when completed.

Post-infection behavior

After distributing the DISGOMOJI malware, UTA0137 carries out various post-infection activities. The actor leverages Nmap to scan the network, Chisel, and Ligolo for network tunneling, and the oshi[.]at file sharing service to stage additional tooling.

In more than one instance the actor issued commands that opened a dialog box to the user pretending to be a Firefox update and requiring the user’s password to proceed. In a recent campaign, this actor used CVE-2922-0847, a privilege escalation exploit.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Since this is not a common attack method, it could present a challenge for security software that is looking solely for string-based detections.

Right now this activity targets Indian government entities and does not appear to be widespread. Given the increased targeting of Linux devices and the novel emoji technique, the blast radius could expand if more actors pick up on its success rates.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.