Fake Ledger Wallet Exposed With Hidden Chip Stealing Seed Phrases and PINs

A cybersecurity researcher from Brazil uncovered a large-scale rip-off operation after shopping for a “Ledger” {hardware} pockets from a Chinese market itemizing that appeared reputable and was priced the identical because the official retailer. The packaging appeared unique from a distance, however the machine was counterfeit.

When the researcher related it to Ledger Live put in from ledger.com, it failed the Genuine Check, confirming it was not an actual Ledger machine. This failure led the researcher to open the machine and look at its inside {hardware} and firmware.

Cloned Websites and Malicious Apps

Inside the shell, the researcher found a totally completely different chip, not the kind utilized in a {hardware} pockets. The chip markings had been bodily scraped off to cover identification. As per the researcher’s Reddit submit, the machine additionally contained a WiFi and Bluetooth antenna, which isn’t current in an actual Ledger Nano S+. By analyzing the chip structure, they recognized it as an ESP32-S3 with inside flash reminiscence.

When the machine booted, it initially masked itself as a Ledger Nano S+ 7704 with serial numbers and Ledger manufacturing facility identification, however later revealed its true producer as Espressif Systems.

After dumping the firmware and reverse engineering it, the researcher discovered that the PIN created on the machine was saved in plaintext. The seed phrases from wallets generated on the machine have been additionally saved in plaintext. The firmware additionally contained a number of hardcoded area references pointing to exterior command-and-control servers. These findings revealed that the machine was designed to gather delicate pockets information, with hyperlinks to exterior servers.

The researcher additionally examined how the assault would possibly work in follow. Although the {hardware} contained a WiFi and Bluetooth antenna, the firmware didn’t present proof of wi-fi information transmission or WiFi entry level connections. It additionally didn’t include dangerous USB scripts for keystroke injection or terminal instructions. Instead, the assault appeared to depend on person interplay exterior the machine itself.

According to them, the rip-off begins when a person scans a QR code included within the packaging. This QR code results in a cloned web site that appears like ledger.com. From there, customers are prompted to obtain a pretend “Ledger Live” utility for Android, iOS, Windows, or Mac. The pretend app reveals a counterfeit Genuine Check display that all the time passes. Users then create wallets and write down seed phrases, believing the setup is protected. Meanwhile, the pretend app exfiltrates seed phrases to attacker-controlled servers.

The researcher decompiled the Android APK model of the pretend Ledger Live app and discovered extra malicious habits. The app was constructed with React Native and the Hermes engine. It was signed with an Android debug certificates as a substitute of a correct signing key. It intercepted APDU instructions between the app and machine, made stealth requests to exterior servers, and continued operating within the background for a number of minutes after being closed.

It additionally requested location permissions and monitored pockets balances utilizing public keys, which allowed attackers to trace deposits and quantities.

Not A Flaw in Ledger Security

The researcher said that this isn’t a zero-day vulnerability and not a flaw in Ledger’s safety design. Ledger’s Genuine Check and Secure Element have been confirmed to work accurately. Instead, that is described as a phishing operation combining counterfeit {hardware}, malicious apps, and exterior infrastructure. The full operation contains {hardware} units with ESP32-S3 chips, trojanized apps for Android and different platforms, and command-and-control servers used for information exfiltration.

The researcher additionally added that pretend Ledger units have been reported earlier than, however this case is completely different as a result of it maps the total system, together with {hardware}, apps, infrastructure, and distribution by way of a shell firm linked to market listings. The researcher has submitted a report back to Ledger’s Customer Success group and is getting ready a full technical breakdown with additional evaluation of Windows, macOS, and iOS variations of the malware.

Just a few years again, one other Reddit person reported receiving a Ledger Nano X in an authentic-looking bundle, however a letter inside raised considerations because of spelling and grammar errors. The letter claimed it was a substitute after an information breach.

A safety knowledgeable later discovered the machine had a flash drive wired to the USB connector, which was supposed for malware supply and potential theft.

The submit Fake Ledger Wallet Exposed With Hidden Chip Stealing Seed Phrases and PINs appeared first on CryptoPotato.