A Chinese-speaking, technically skilled threat actor distributes backdoored applications to extract cash from victims in the newly discovered large-scale operation.
Confiant security researchers have shared details of a large-scale operation launched by a technically advanced, sophisticated threat actor. The actor distributes backdoored applications through fake versions of authentic cryptocurrency wallet websites to drain funds. The activity cluster is dubbed SeaFlower, reportedly targeting iOs and Android users.
Confiant researchers noted that the trojanized cryptocurrency apps are identical to their real versions. However, they contain a backdoor that can steal a user’s security phase, allowing attackers to access their digital assets.
The SeaFlower operation leverages website cloning, SEO poisoning, and black SEO techniques to distribute trojanized apps to a broader range of users. Targeted applications include iOS and Android versions of MetaMask, Coinbase wallet, imToken, and TokenPocket.
These apps are distributed through Chinese search engines such as Sogou and Baidu. The search terms are rigged, so when someone searches for Download MetaMask iOS, the drive-by download pages appear on the top of the results first page.
Unsuspecting users stumble upon the suspicious sites, which serve as a conduit for luring victims into downloading trojanized versions of wallet apps. These apps