Security researchers have uncovered a large-scale malicious operation that uses trojanized mobile cryptocurrency wallet applications for Coinbase, MetaMask, TokenPocket, and imToken services.
The malicious activity has been identified earlier this year in March. Researchers at Confiant named this activity cluster SeaFlower and describe it as “the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group.”
In a recent report, Confiant notes that the malicious cryptocurrency apps are identical to the real ones but they come with a backdoor that can steal the users’ security phrase for accessing the digital assets.
The threat actors behind SeaFlower activity appear to be Chinese, as per hints such as the language of the comments in the source code, infrastructure location, frameworks and services used.
App distribution
The first step in the SeaFlower operation is to spread the trojanized apps to as many users as possible. The threat actor achieves this through clones of legitimate websites, SEO poisoning, and black SEO techniques.
It is also possible that the applications are promoted on social media channels, forums, and malvertising, but the primary channel of distribution that Confiant observed are search services.
The researchers have found that search results from Baidu engine are the most impacted by the SeaFlower operation, directing massive amounts of traffic to the malicious sites.
On iOS, the sites abuse provisioning profiles to side-load the malicious applications on the device to bypass bypassing security protections.
Provisioning profiles are used to tie developers and devices to an authorized development team. They allow devices to be used for testing application code, making them a powerful method to add malicious apps to a device.
Backdoored apps
Confiant analysts reversed engineer the apps to figure out how SeaFlower authors had planted the backdoors and found similar code in all of them.
For the MetaMask app on iOS, the backdoor code is activated upon generating the seed phrase and before it is stored in an encrypted form. This means that the threat actor intercepts the pass phrase when creating a new wallet or when adding an existing one to a newly installed app.
One of the identified functions in the backdoor code, “startupload”, is responsible for stealing the seed phrase and sending it to domains that mimic those of the legitimate vendors.
For instance, the threat actor used POST requests to exfiltrate the pass phrases to ‘trx.lnfura[.]org’ – which impersonates the genuine ‘infura.io’. Similarly, they used ‘metanask[.]cc’, which mimics MetaMask’s original domain.
The class hiding the functions is obfuscated using the base64 encoding algorithm and encrypted using the RSA cryptosystem. However, the keys are hardcoded, so the analysts could decrypt the backdoor, test the code, and validate it at runtime.
The backdoor code wasn’t as diligently hidden in the Android variants malicious apps, and the researchers could access more of their functions without much effort.
A particularly interesting aspect in the discovered backdoor is the injection of a React Native Bundle directly into the RCTBridge instance to load JavaScript.
Referring to this finding, Taha Karim, the director of threat intelligence at Confiant, shared the following comment with BleepingComputer:
Injecting react native bundles is definitely something new in the backdoors world, it has to do with metamask being a react native app. Attackers spent time reverse engineering React native bridge and understood how and where bundles are loaded.
They added a logos tweak to force the backdoor bundle to be loaded at runtime and have it executed by javascriptcore. The bundle came RSA encrypted and hidden inside a dylib file, that is also injected at runtime.
Trusted sources
To protect against these sneaky threats, cryptocurrency users should download wallet applications only from trusted sources, such as official app stores or from the developer’s website.
For iOS users, installing or accepting provisioning profiles without checking the legitimacy of the requests, since these allow installing any app on iOS or macOS systems.