Posted on June 15, 2022 at 5:52 AM
Chinese Hackers Are Distributing Malware Through Compromised Web3 Wallets
Security researchers have discovered a large-scale malware operation that utilizes trojanized mobile crypto wallet applications for imToken, TokenPocket, Coinbase, and MetaMask services.
The activities of the threat actors were discovered earlier in March this year. Researchers at Confiant named the malware activity as a cluster SeaFlower, describing it as “the most technically sophisticated threat targeting Web3 users” right now. The malware’s menace is compared with the notorious Lazarus Group.
The report by the researchers noted that the malicious crypto apps resemble the original ones but they are equipped with a backdoor that steals users’ security phase used in accessing the digital assets.
The report stated that the hackers behind the SeaFlower malware seem to be Chinese based on some details about their attack. The services they used, frameworks, infrastructure location, and source code seem to be connected to China.
The Hackers Used Aggressive Techniques To Spread The Malware
The hackers used aggressive app distribution methods to spread the SeaFlower trojanized app to as many users as possible. The hackers achieved this via clones of legitimate websites, black SEO methods, as well as through SEO poisoning.
Additionally, the security researchers believe that the hackers are promoting the applications on social media channels, malvertising, and forums. However, the main channel of distribution observed by Confiant is the search services.
The search results from the Baidu engine are mostly affected by the SeaFlower activities, directing massive amounts of traffic to the malicious site, according to the researchers
The malware also abuses iOS devices. It abuses provisional profiles to side-load the malicious apps on the device, bypassing security protections in the process. Apart from being potent, the researchers discovered that the malware application uses a strong evasive technique that keeps it hidden from security systems.
The Hackers Are Mimicking Genuine Codes
Provisional profiles are usually utilized to tie devices and developers to an authorized development team. It enables the devices to be easily used to test application code, which makes them a very strong tool when adding malicious applications to a device.
The security researchers used the reverse engineering technique on the app to find out how SeaFlower authors had planted backdoors. According to the Confiant analysts, all of them had similar codes.
The backdoor for the MetaMask app on iOS is activated when the seed phrase is being generated. It activates before it is stored in an encrypted form. This implies that the hackers can intercept the passphrase when they are creating a new wallet or when they want to add an existing one to a recently installed app.
The Hackers Use POST Requests To Steal Pass Phrases
One of the major roles of the backdoor code “startupload” is to steal the seed phrase and send it to domains that copy those of the original ones. For example, the hackers utilized the POST request to steal the pass phrases to ‘trx.lnfura[.]org’. This is used to impersonate the authentic “infura.io”. Also, they used ‘metanask[.]cc’ that acts exactly like MetaMask’s original domain.
Also, the class that hides the functions is retrieved via the base64 encoding algorithm. It is encrypted using the RSA ecosystem. But the keys are usually hardcoded, which means the analyst could decrypt the backdoor, validate it, and test the code at runtime.
Users Should Only Install Wallet Apps From Trusted Platforms
The backdoor code was not as carefully hidden as expected in the Android variant’s malicious apps.
As a result, the researchers could access more functions without much effort. |One of the most crucial aspects in the backdoor is the planting of a React Native Bundle on the RCTBridge instance for loading JavaScripts. Director of threat intelligence at Confiant, Taha Karim, while discussing the findings, shared some information that revealed how the threat actors utilized the malware.
He noted that planting native bundles is something not seen in the past in other hacking activities. Generally, it connects to a metaverse linking to React native app. Threat actors have spent years reverse-engineering the React native app to understand where and how bundles are loaded.
They included logos to force the backdoor bundle which can be loaded at runtime while executing it by Javascriptcore. The bundle was encrypted and hidden in a dylib file, which is also injected at runtime. Researchers have directed cryptocurrency and crypto wallet holders to download wallet apps only from trusted sites and platforms to protect their devices from these attacks.