SeaFlower is a large-scale effort that uses cloned applications from cryptocurrency wallets including MetaMask, Coinbase, imToken, and TokenPocket, according to researchers.
The Seaflower Mission Was A Success.
Confiant researchers discovered the effort in March and labelled the behaviour as SeaFlower. The activity is also regarded as a technically advanced threat aimed at web3 users.
Malicious cryptocurrency apps are identical to legitimate ones. These phoney apps, on the other hand, provide a backdoor that may steal users’ security phrases for gaining access to digital assets.
The attackers had embedded backdoors code in these programmes, according to researchers. Seed phrases are stolen by the backdoor malware and sent to sites that seem like real merchants.
According to clues such as the language of source code comments, frameworks, infrastructure location, and utilised services, the attackers appear to be Chinese.
Techniques of Propagation
According to studies, search services are the key distribution method. Hackers are said to be pushing it through social media, forums, and malvertising.
Furthermore, the trojanized programmes propagated through fraudulent cryptocurrency wallet websites, as well as black SEO and SEO poisoning strategies.
The SeaFlower effort has the largest influence on the Baidu engine’s search results.
On iOS, the sites exploit provisioning profiles to evade security measures by side-loading malicious programmes.
Cryptocurrency users should always download wallet programmes from reputable sources to keep safe from such attacks. Users of iOS should not install provisioning profiles without first confirming the legality of the requests, as these profiles allow any software to be installed on macOS or iOS.