Cybercriminal campaigns are utilizing pretend Ledger apps to focus on macOS customers and their digital belongings by deploying malware that makes an attempt to steal seed phrases that defend entry to digital cryptocurrency wallets.
Ledger is a well-liked hardware-based pockets designed to retailer cryptocurrency offline (chilly storage) and in a safe method.
A seed or restoration phrase is a set of 12 or 24 random phrases that permits recovering the digital belongings if the pockets is misplaced or the entry password forgotten. Thus, it’s meant to be saved offline and personal.
In such assaults highlighted in a Moonlock Lab report, the malicious app impersonates the Ledger app in an try to trick the person to sort their seed phrase on a phishing web page.
Moonlock Lab says that they’ve been monitoring these assaults since final AugustAugust 2024, when the app clones may solely “steal passwords, notes, and pockets particulars to get a glimpse of the pockets’s belongings.” This information wouldn’t be sufficient to entry the funds, although.
With the current replace specializing in stealing the seed phrase, cybercriminals can empty victims’ wallets.
Evolution of the Ledger campaigns
In March, Moonlock Lab noticed a risk actor utilizing the alias ‘Rodrigo’ deploying a brand new macOS stealer named ‘Odyssey.’
The brand new malware replaces the respectable Ledger Reside app on the sufferer’s machine to make the assault more practical.
The malware embedded a phishing web page inside a pretend Ledger app asking the sufferer to enter their 24-word seed phrase to get better their account after displaying a bogus “essential error” message.
Supply: Moonlock Lab
Odyssey also can steall macOS usernames and exfiltrate all information supplied by the phishing fields to Rodrigo’s command-and-control (C2) server.
The effectiveness of this new piece of malware rapidly gained consideration throughout underground boards, prompting copycat assaults by the AMOS stealer that carried out comparable options.
Final month, a brand new AMOS marketing campaign was recognized utilizing a DMG file named ‘JandiInstaller.dmg,’ which bypassed Gatekeeper to put in a trojanized Ledger Reside clone app that displayed Rodrigo-style phishing screens.
Supply: Moonlock Lab
Victims falling for the trick and typing their 24-word seed phrase into AMOS obtained a misleading “App corrupted” message to decrease suspicion and permit the attackers sufficient time to pilfer the belongings.
Across the identical time, a separate risk actor utilizing the deal with ‘@mentalpositive’ started promoting an “anti-Ledger” module on darkish net boards, although Moonlock could not discover working variations of it.
This month, researchers at Jamf, an organization that gives organizations with software program for managing Apple units, uncovered one other marketing campaign the place a PyInstaller-packed binary in a DMG file downloaded a phishing web page loaded through iframe in a pretend Ledger Reside interface to steal customers’ seed phrases.
Much like the AMOS stealer marketing campaign, the assaults that Jamf found comply with a hybrid strategy, focusing on browser information, “scorching” pockets configurations, and system info together with focused Ledger phishing.
Supply: Moonlock Lab
To maintain your Ledger wallets secure, solely obtain the Ledger Reside app from the official web site, and at all times verify earlier than typing your seed phrase, which ought to occur solely when dropping entry to the bodily pockets.
You are solely required to make use of the seed phrase if you’re restoring your pockets or establishing a brand new machine. Even then, the phrase is entered on the bodily Ledger machine, and never on the app or any web site.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend towards them.
