A cybersecurity researcher from Brazil uncovered a large-scale rip-off operation after shopping for a “Ledger” {hardware} pockets from a Chinese language market itemizing that seemed professional and was priced the identical because the official retailer. The packaging appeared authentic from a distance, however the machine was counterfeit.
When the researcher linked it to Ledger Stay put in from ledger.com, it failed the Real Verify, confirming it was not an actual Ledger machine. This failure led the researcher to open the machine and study its inside {hardware} and firmware.
Cloned Web sites and Malicious Apps
Contained in the shell, the researcher discovered a very completely different chip, not the sort utilized in a {hardware} pockets. The chip markings had been bodily scraped off to cover identification. As per the researcher’s Reddit put up, the machine additionally contained a WiFi and Bluetooth antenna, which isn’t current in an actual Ledger Nano S+. By analyzing the chip format, they recognized it as an ESP32-S3 with inside flash reminiscence.
When the machine booted, it initially masked itself as a Ledger Nano S+ 7704 with serial numbers and Ledger manufacturing facility identification, however later revealed its true producer as Espressif Techniques.
After dumping the firmware and reverse engineering it, the researcher discovered that the PIN created on the machine was saved in plaintext. The seed phrases from wallets generated on the machine have been additionally saved in plaintext. The firmware additionally contained a number of hardcoded area references pointing to exterior command-and-control servers. These findings revealed that the machine was designed to gather delicate pockets information, with hyperlinks to exterior servers.
The researcher additionally examined how the assault may work in follow. Though the {hardware} contained a WiFi and Bluetooth antenna, the firmware didn’t present proof of wi-fi information transmission or WiFi entry level connections. It additionally didn’t include dangerous USB scripts for keystroke injection or terminal instructions. As an alternative, the assault appeared to depend on consumer interplay outdoors the machine itself.
Based on them, the rip-off begins when a consumer scans a QR code included within the packaging. This QR code results in a cloned web site that appears like ledger.com. From there, customers are prompted to obtain a pretend “Ledger Stay” utility for Android, iOS, Home windows, or Mac. The pretend app exhibits a counterfeit Real Verify display that all the time passes. Customers then create wallets and write down seed phrases, believing the setup is protected. In the meantime, the pretend app exfiltrates seed phrases to attacker-controlled servers.
The researcher decompiled the Android APK model of the pretend Ledger Stay app and located further malicious habits. The app was constructed with React Native and the Hermes engine. It was signed with an Android debug certificates as an alternative of a correct signing key. It intercepted APDU instructions between the app and machine, made stealth requests to exterior servers, and continued operating within the background for a number of minutes after being closed.
It additionally requested location permissions and monitored pockets balances utilizing public keys, which allowed attackers to trace deposits and quantities.
Not A Flaw in Ledger Safety
The researcher said that this isn’t a zero-day vulnerability and never a flaw in Ledger’s safety design. Ledger’s Real Verify and Safe Factor have been confirmed to work appropriately. As an alternative, that is described as a phishing operation combining counterfeit {hardware}, malicious apps, and exterior infrastructure. The complete operation consists of {hardware} gadgets with ESP32-S3 chips, trojanized apps for Android and different platforms, and command-and-control servers used for information exfiltration.
The researcher additionally added that pretend Ledger gadgets have been reported earlier than, however this case is completely different as a result of it maps the complete system, together with {hardware}, apps, infrastructure, and distribution by a shell firm linked to market listings. The researcher has submitted a report back to Ledger’s Buyer Success staff and is making ready a full technical breakdown with additional evaluation of Home windows, macOS, and iOS variations of the malware.
A couple of years again, one other Reddit consumer reported receiving a Ledger Nano X in an authentic-looking package deal, however a letter inside raised considerations resulting from spelling and grammar errors. The letter claimed it was a alternative after an information breach.
A safety skilled later discovered the machine had a flash drive wired to the USB connector, which was meant for malware supply and potential theft.
The put up Pretend Ledger Pockets Uncovered With Hidden Chip Stealing Seed Phrases and PINs appeared first on CryptoPotato.