Additionally, the cybersecurity firm identified several other applications that did not include phishing functionality but were linked to the same threat actor.“It’s highly likely that the malicious features were simply waiting to be toggled on in a future update,” Kaspersky says.The phishing applications were designed to open a link in the browser in an attempt to trick the user into installing infected versions of crypto wallets. The malicious code was typically delivered via libraries, but in some cases, it was injected directly into the wallet’s source code.Code analysis revealed the presence of functions to harvest users’ recovery phrases and seed phrases, and to hijack the methods the app calls when users attempt to restore their hot wallets. Furthermore, the applications were found to target cold wallets through two Ledger implants.Kaspersky identified a website mimicking the official Ledger site hosting links to these applications, as well as compromised wallet apps for Android distributed through Chinese-language phishing pages, but not through the Play Store.According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well.The threat actor responsible for the FakeWallet campaign appears linked tothe SparkKitty malwarethat was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
“It’s highly likely that the malicious features were simply waiting to be toggled on in a future update,” Kaspersky says.The phishing applications were designed to open a link in the browser in an attempt to trick the user into installing infected versions of crypto wallets. The malicious code was typically delivered via libraries, but in some cases, it was injected directly into the wallet’s source code.Code analysis revealed the presence of functions to harvest users’ recovery phrases and seed phrases, and to hijack the methods the app calls when users attempt to restore their hot wallets. Furthermore, the applications were found to target cold wallets through two Ledger implants.Kaspersky identified a website mimicking the official Ledger site hosting links to these applications, as well as compromised wallet apps for Android distributed through Chinese-language phishing pages, but not through the Play Store.According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well.The threat actor responsible for the FakeWallet campaign appears linked tothe SparkKitty malwarethat was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
The phishing applications were designed to open a link in the browser in an attempt to trick the user into installing infected versions of crypto wallets. The malicious code was typically delivered via libraries, but in some cases, it was injected directly into the wallet’s source code.Code analysis revealed the presence of functions to harvest users’ recovery phrases and seed phrases, and to hijack the methods the app calls when users attempt to restore their hot wallets. Furthermore, the applications were found to target cold wallets through two Ledger implants.Kaspersky identified a website mimicking the official Ledger site hosting links to these applications, as well as compromised wallet apps for Android distributed through Chinese-language phishing pages, but not through the Play Store.According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well.The threat actor responsible for the FakeWallet campaign appears linked tothe SparkKitty malwarethat was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
Code analysis revealed the presence of functions to harvest users’ recovery phrases and seed phrases, and to hijack the methods the app calls when users attempt to restore their hot wallets. Furthermore, the applications were found to target cold wallets through two Ledger implants.Kaspersky identified a website mimicking the official Ledger site hosting links to these applications, as well as compromised wallet apps for Android distributed through Chinese-language phishing pages, but not through the Play Store.According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well.The threat actor responsible for the FakeWallet campaign appears linked tothe SparkKitty malwarethat was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
Kaspersky identified a website mimicking the official Ledger site hosting links to these applications, as well as compromised wallet apps for Android distributed through Chinese-language phishing pages, but not through the Play Store.According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well.The threat actor responsible for the FakeWallet campaign appears linked tothe SparkKitty malwarethat was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
According to the cybersecurity firm, while the apps appear to target Chinese speakers, the malicious modules do not have built-in regional restrictions, and some phishing notifications were seen adapting to the app’s language, suggesting that users outside China could be targeted as well.The threat actor responsible for the FakeWallet campaign appears linked tothe SparkKitty malwarethat was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
The threat actor responsible for the FakeWallet campaign appears linked tothe SparkKitty malwarethat was uncovered in June last year, based on the distribution technique, focus on cryptocurrency wallets, Chinese log messages in the malicious modules, and the presence of SparkKitty modules in some applications.Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
Apple has been notified and it has started removing the malicious apps.Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
Related:Russian APT Star Blizzard Adopts DarkSword iOS Exploit KitRelated:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
Related:Coruna iOS Exploit Kit Likely an Update to Operation TriangulationRelated:Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’Related:New $150 Cellik RAT Grants Android Control, Trojanizes Google Play Apps
Source: SecurityWeek
