To achieve this, the threat actor modified the Ledger Live application to trick users into selecting the “Restore device from Recovery phrase” option (Figure 8). The Ledger hardware wallets themselves are not targeted in this campaign, instead users may be tricked into revealing their recovery passphrase through social engineering. A stolen recovery phrase may be used by an actor to generate a copy of the user’s private keys, allowing them to steal any digital currencies associated with those private keys. While Proofpoint researchers have not conducted a full analysis on the malware, at the very least the backdoored Ledger Live application is capable of stealing recovery phrases. The fake installer and fake Ledger Live have the following digital signature:įigure 7: Signature for the installer and spoofed Ledger Live downloads Upon clicking the download button on the spoofed page, the installer is downloaded to the user’s machine. The spoofed version removes the warning to users to “beware of fake Ledger Live applications,” seen on the real page below. Figure 5: Spoofed Ledger Live download page with links to malicious executables ![]() The button takes the user to a spoofed Ledger Live download page with links to malicious downloads for Windows, MacOS, and Linux. The fake download page is hosted at “hxxps://xn-ledgr-9zacom/ledger-live/download/”, and when punycode is rendered in a user’s browser, it appears extremely similar to the real download page URL:įigure 3: Malicious URL with punycode characterīeyond the URL, the landing page for the malicious download closely mirrors the legitimate Ledger page, appearing to offer downloads for a variety of desktop platforms and mobile. Instead, at the bottom of the message, a button prompts the recipient to “Download latest version” of Ledger Live.įigure 2: Additional email lure claiming to be from Ledger Landing page and malicious files ![]() ![]() The messages claim that Ledger has experienced a breach and that recipients should assume their “cryptocurrency assets are at risk of being stolen.” The suggested remediation is to download the latest version of Ledger Live and set up a new PIN. In line with Ledger’s real statement following the June breach, the message never suggests that the user will be asked to share their recovery phrase. Luresįigure 1: Email lure claiming to be from Ledger On October 25, 2020, Proofpoint researchers discovered several thousand messages claiming to be from Ledger with subjects like, “Your Ledger Live client may be compromised” and “Your Ledger assets may be at risk”. The messages don’t appear to be targeted at any specific industry or geography. In July 2020, cryptocurrency wallet company Ledger revealed a breach of 9500 customers’ names and contact information. In their announcement, they caution users to be aware of credential phishing attempts and state that they will “never ask for the 24 words of recovery phrase.”
0 Comments
Leave a Reply. |