A highly sophisticated Chinese threat gang called SeaFlower has been infecting iOS and Android users as part of its cybercriminal campaign that pretends to be an official cryptocurrency wallet website. The campaign is intended to spread backdoored applications that can potentially drain their target’s crypto funds.
The chain of activity was said to be first discovered by researchers last March. Some experts believed the attack was closely related to a Chinese-speaking entity that was yet to be identified back then.
It was further proven when the researchers spotted the details used for the attacks, such as macOS usernames. Additionally, the source code comments in the backdoor code and the actors’ exploit of Alibaba’s CDM further proved the actor’s identity.
Modified Web3 wallets are the primary weapon of the SeaFlower gang for their cryptocurrency attacks.
According to the researchers, the primary objective of SeaFlower is to strengthen and modify its Web3 wallets with backdoor codes that will aid in exfiltrating seed phrases. The malicious threat group’s targeted applications include iOS and Android versions of MetaMask, TokenPocket, Coinbase Wallet, and imToken.
SeaFlower’s method of attack involves setting up spoofed websites that will serve as a bridge for users to download backdoored versions of the wallet applications. These compromised wallet apps will be virtually unaltered from their original counterparts except for adding new code designed to gather the seed phrase to a remote domain.
The threat actors also engineer cybercriminal operations to target iOS users by provisioning profiles that allow the application to be sideloaded onto the devices.
Users will encounter these applications through the websites that offer fraudulent wallets. The attack uses SEO poisoning tactics on Chinese browsers like Sogou and Baidu. Therefore, when users type keywords like MetaMask, iOS, or download, the SEO will recommend the compromised apps, which can lead to several downloads.
The discovery of this new SeaFlower threat highlights how numerous threat actors are increasing and improving their settings and sights on popular Web3 platforms. These platforms will surely be a hotspot for malicious entities as they hold sensitive data and funds that hackers can quickly transfer.
