A malicious campaign called Poisonseed leverages compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases to emit victims’ digital wallets.
“Bulk Spam recipients are being targeted in cryptocurrency seedphrase addiction attacks,” Silent Push said in the analysis. “As part of the attack, Poisonseed will provide security seed phrases to potential victims to copy and paste into new cryptocurrency wallets for future compromises.”
Poisonseed’s targets include corporate organizations and individuals outside the cryptocurrency industry. Crypto companies like Coinbase and Ledger, and bulk mail providers like MailChimp, Sendgrid, Hubspot, Mailgun and Zoho are among the targeted crypto companies.
This activity is rated different from two loosely aligned threat actor scattered spiders and cryptochameleons, which are part of a broader cybercrime ecosystem called COM. Several aspects of the campaign were previously disclosed last month by security researchers Troy Hunt and Bleeding Computers.
The attack includes threat actors who set up phishing pages that look like the prominent CRM and bulk mail companies, aiming to trick high-value targets into providing credentials. Once the credentials are obtained, the enemy will create an API key to ensure persistence even if the stolen password is reset by the owner.
In the next stage, operators may export mailing lists and use automated tools to send spam from these compromised accounts. Post-CRM Conpromies Supply Chain Spam Messages notifies users that they need to set up a new Coinbase wallet using seed phrases embedded in email.
The ultimate goal of the attack is to hijack your account using the same recovery phrase and transfer funds from those wallets. The links to scattered spiders and cryptochameleons are attributed to domain use (“Mailchimp-sso”[.]com”) It is not only previously identified as using the former, but also historical targeting of Cryptochameleon’s Coinbase and Ledger.
That said, the phishing kits used by Poisonseed do not share similarities with those used by the other two threat clusters, increasing the likelihood that they are either brand new Cryptochameleon phishing kits or another threat actor using similar commercials.
The development delivers malware that allows remote control of infected Windows hosts as Russian-speaking threat actors have been observed using phishing pages hosted on CloudFlare Pages.dev and Workers.dev. It turns out that previous iterations of the campaign also distributed StealC Information Steelers.
“This recent campaign is leveraging takedown notifications offered across multiple domains for CloudFlare branded phishing pages based on the Digital Millennium Copyright Act (DMCA),” Hunt.io said.
“The lure abuses the MS-Search protocol to download a malicious LNK file disguised as a PDF via a dual extension. After execution, the malware checks in on an attacker-controlled telegram and bots the victim’s IP address before moving to pyramid C2 to control the infected host.”
Source link
