A cybersecurity researcher from Brazil uncovered a large-scale rip-off operation after shopping for a “Ledger” {hardware} pockets from a Chinese language market itemizing that regarded official and was priced the identical because the official retailer. The packaging appeared authentic from a distance, however the system was counterfeit.
When the researcher linked it to Ledger Dwell put in from ledger.com, it failed the Real Test, confirming it was not an actual Ledger system. This failure led the researcher to open the system and study its inner {hardware} and firmware.
Cloned Web sites and Malicious Apps
Contained in the shell, the researcher discovered a very totally different chip, not the kind utilized in a {hardware} pockets. The chip markings had been bodily scraped off to cover identification. As per the researcher’s Reddit put up, the system additionally contained a WiFi and Bluetooth antenna, which isn’t current in an actual Ledger Nano S+. By analyzing the chip structure, they recognized it as an ESP32-S3 with inner flash reminiscence.
When the system booted, it initially masked itself as a Ledger Nano S+ 7704 with serial numbers and Ledger manufacturing facility identification, however later revealed its true producer as Espressif Techniques.
After dumping the firmware and reverse engineering it, the researcher discovered that the PIN created on the system was saved in plaintext. The seed phrases from wallets generated on the system had been additionally saved in plaintext. The firmware additionally contained a number of hardcoded area references pointing to exterior command-and-control servers. These findings revealed that the system was designed to gather delicate pockets knowledge, with hyperlinks to exterior servers.
The researcher additionally examined how the assault may work in apply. Though the {hardware} contained a WiFi and Bluetooth antenna, the firmware didn’t present proof of wi-fi knowledge transmission or WiFi entry level connections. It additionally didn’t comprise unhealthy USB scripts for keystroke injection or terminal instructions. As a substitute, the assault appeared to depend on person interplay outdoors the system itself.
Based on them, the rip-off begins when a person scans a QR code included within the packaging. This QR code results in a cloned web site that appears like ledger.com. From there, customers are prompted to obtain a faux “Ledger Dwell” software for Android, iOS, Home windows, or Mac. The faux app reveals a counterfeit Real Test display that at all times passes. Customers then create wallets and write down seed phrases, believing the setup is protected. In the meantime, the faux app exfiltrates seed phrases to attacker-controlled servers.
The researcher decompiled the Android APK model of the faux Ledger Dwell app and located further malicious conduct. The app was constructed with React Native and the Hermes engine. It was signed with an Android debug certificates as an alternative of a correct signing key. It intercepted APDU instructions between the app and system, made stealth requests to exterior servers, and continued working within the background for a number of minutes after being closed.
It additionally requested location permissions and monitored pockets balances utilizing public keys, which allowed attackers to trace deposits and quantities.
Not A Flaw in Ledger Safety
The researcher acknowledged that this isn’t a zero-day vulnerability and never a flaw in Ledger’s safety design. Ledger’s Real Test and Safe Aspect had been confirmed to work accurately. As a substitute, that is described as a phishing operation combining counterfeit {hardware}, malicious apps, and exterior infrastructure. The complete operation consists of {hardware} gadgets with ESP32-S3 chips, trojanized apps for Android and different platforms, and command-and-control servers used for knowledge exfiltration.
The researcher additionally added that faux Ledger gadgets have been reported earlier than, however this case is totally different as a result of it maps the complete system, together with {hardware}, apps, infrastructure, and distribution by a shell firm linked to market listings. The researcher has submitted a report back to Ledger’s Buyer Success staff and is making ready a full technical breakdown with additional evaluation of Home windows, macOS, and iOS variations of the malware.
Just a few years again, one other Reddit person reported receiving a Ledger Nano X in an authentic-looking bundle, however a letter inside raised considerations on account of spelling and grammar errors. The letter claimed it was a substitute after an information breach.
A safety knowledgeable later discovered the system had a flash drive wired to the USB connector, which was supposed for malware supply and potential theft.
The put up Pretend Ledger Pockets Uncovered With Hidden Chip Stealing Seed Phrases and PINs appeared first on CryptoPotato.