A Chinese-speaking, technically skilled threat actor distributes backdoored applications to extract cash from victims in a newly discovered large-scale operation.
Confiant security researchers have shared details of a large-scale operation launched by a technically advanced, sophisticated threat actor. The actor distributes backdoored applications through fake versions of authentic cryptocurrency wallet websites to drain funds. The activity cluster is dubbed SeaFlower, reportedly targeting iOs and Android users.
Confiant researchers noted that the trojanized cryptocurrency apps are identical to their real versions. However, they contain a backdoor that can steal a user’s security phase, allowing attackers to access their digital assets.
Attack Method
The SeaFlower operation leverages website cloning, SEO poisoning, and black SEO techniques to distribute trojanized apps to a broader range of users. Targeted applications include iOS and Android versions of MetaMask, Coinbase wallet, imToken, and TokenPocket.
These apps are distributed through Chinese search engines such as Sogou and Baidu. The search terms are rigged, so when someone searches for Download MetaMask iOS, the drive-by download pages appear on the top of the results first page.
Unsuspecting users stumble upon the suspicious sites, which serve as a conduit for luring victims into downloading trojanized versions of wallet apps. These apps have been modified to appear the same as the original versions but have additional code to extract and send the seed phrase to a remote domain.
The attackers may promote the backdoored apps on social media platforms and forums and use malvertising, but the leading distribution channel is search engines.
SeaFlower Objective
According to a blog post by Confiant’s Taha Karim, the main objective behind this campaign appears to be modifying Web3 wallets with backdoor code to exfiltrate the seed phrase. SeaFlower operators have also engineered the activity for targeting iOS users through provisioning profiles to enable apps for sideloading onto the devices.
For your information, provision profiles help tie devices and developers to an unauthenticated development team. This way, devices can be used for testing app code and adding malicious apps to devices.
The Chinese Connection
The analysis of the source code comments in the backdoored coding, the macOS usernames, and the involvement of Alibaba’s CDN (content delivery network) links this campaign with a yet-to-be-revealed Chinese-speaking organization.
Researchers claim they discovered the campaign in March 2022 and refer to SeaFlower as “the most technically sophisticated threat targeting Web3 users, right after the infamous Lazarus Group.”
Why SeaFlower?
Regarding why Confiant researchers dubbed the activity SeaFlower, they noted that one of the .dylib files injected in the trojanized MetaMask app’s Mach-O leaked a macOS username “Zhang Haike.” When they Googled the term, many Chinese language references appeared, one of which was a character in the Chinese novel “Tibetan Sea Flower.”
Security Measures
Chinese hackers are always considered dangerous and highly sophisticated. It could be because of unlimited resources backed by the government or they are just good at it. Nevertheless, strictly refrain from downloading apps and software from third-party markets.
Always download mobile apps from official stores: Apple AppStore & Play Store. Never install or accept random provisioning profiles on your iPhone, as you saw in this blog post, they allow the download of unverified software that could potentially steal your crypto.
Taha Karim – Confiant
More Chinese Hackers in News
- Irani and Chinese State Hackers Exploiting Log4j Vulnerability
- Russian language hacking forums warming up to Chinese hackers
- Chinese APT group spying on Vietnam military with FoundCore RAT
- Microsoft disrupts the activity of Chinese hackers by seizing 42 websites
- Unofficial Micropatch for Follina Released as Chinese Hackers Exploit 0-day