Moonlock Lab outlined 4 different campaigns, all targeting users of the Mac version of Ledger Live, a cryptocurrency management app. Among other techniques described, they mentioned a newly-observed technique for phishing seed phrases.
Some of the techniques mentioned involve doing things like using compiled Python code or executing AppleScripts via osascript in the shell. None of this is particularly unique, though it’s interesting from the perspective of a threat researcher. (I was especially interested, as I’d just seen a very similar AppleScript to the one described in the article, spotted by my current employer’s EDR due to suspicious activity it was exhibiting. Some of the lines of code did exactly what was described in Moonlock’s article.)
Of particular interest to me was the phishing screen that attempted to convince the user to enter seed phrase. The “seed phrase” is a set of 24 words, and it can be used like a recovery key to regain access to an account if you lose access. If the attackers can get your seed phrase, they can take over your account.
What’s really interesting to me is that it asks for the seed phrase via 24 separate text fields, which seems extremely cumbersome. I should preface this by saying that I don’t know what the legitimate Ledger Live user experience is, and maybe it’s exactly the same. (If so, that’s the real crime here!) However, I do wonder how many people will jump straight to entering or pasting all those words into 24 different fields, vs going to search about the error online and finding references to it being malware. (If anyone knows more about Ledger Live, feel free to post in the comments… they’re moderated, but if you post something that’s helpful and obviously not spam, I’ll let it through.)
This follows a definite trend lately of Mac malware designed to target owners of cryptocurrency. It seems that can increase your risk of infection on a Mac significantly.