SEAL is tracking an ongoing campaign against crypto users by a threat actor identified as ELUSIVE COMET, who employs sophisticated social engineering tactics with the goal of inducing victims into installing malware and ultimately stealing their crypto. SEAL is working closely with industry partners to proactively protect users.
ELUSIVE COMET is known to operate Aureon Capital, which purports to be a legitimate venture capital firm, as well as related entities Aureon Press and The OnChain Podcast. ELUSIVE COMET is responsible for millions of dollars in stolen funds and poses a significant risk to users due to their carefully engineered backstory. If you have been in contact with any representatives of Aureon Capital or suspect you may have lost funds as a result of contact with Aureon Capital, please email tips-elusive-comet@securityalliance.org.
Methodology
ELUSIVE COMET maintains a strong online presence with extensive history in order to establish and maintain legitimacy. This is accomplished by setting up polished websites and active social media profiles, as well as creating profiles which impersonate real people with notable credentials.
ELUSIVE COMET typically initiates outreach with potential victims over Twitter DMs or email by inviting the potential victim to be a guest on their podcast. If accepted, they will proceed to schedule a call over Zoom to learn more about the potential victim’s work, sometimes withholding meeting details until the very last minute in order to induce additional urgency.
Once the potential victim has joined the call, they are prompted to share their screen to present their work. At this point, ELUSIVE COMET will use Zoom to request control over the potential victim’s computer. If the potential victim is not paying close attention, they may accidentally grant remote access, which allows ELUSIVE COMET to install their malware to the victim’s device. This malware may either be an infostealer which immediately exfiltrates relevant secrets, or a RAT which allows for exfiltration at a later time.
Mitigation
SEAL recommends users perform the necessary due diligence when receiving an offer or request from an unknown individual and to ensure that they are communicating with the legitimate profile and not an impersonator. SEAL also recommends requiring that all video calls take place over a trusted platform, such as Zoom, Google Meet, Microsoft Teams, or another well-known platform.
When using Zoom, SEAL recommends that users pay close attention to avoid accidentally granting control over their device to an untrusted party. For extra safety, SEAL recommends that users follow these instructions to disable remote control functionality entirely. SEAL also recommends that IT/security teams follow these instructions to disable remote control functionality across your entire Zoom tenant.
IoCs
Known Profiles
Contact
If you are a security researcher interested in additional technical information or relevant samples, please complete this form.
