The Good Tech Companies - Tracking Atomic Stealer on macOS: Sophisticated Malware Replacing LedgerLive App
Episode Date: August 24, 2024This story was originally published on HackerNoon at: https://hackernoon.com/tracking-atomic-stealer-on-macos-sophisticated-malware-replacing-ledgerlive-app. We delve in...to new tactics of sophisticated macOS malware - Atomic stealer. Now, it replaces popular app for managing crypto wallets with malicious clone. Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #cyber-threats, #macos, #malware, #malware-analysis, #cryptowallet, #good-company, #infection-chain, #ledgerlive, and more. This story was written by: @moonlock. Learn more about this writer by checking @moonlock's about page, and for more stories, please visit hackernoon.com. Atomic Stealer's new tactics includes replacing legitimate LedgerLive app with a malicious clone without the user noticing. The malware uses a phishing tool to trick users into giving up sensitive information. It then transmits the data to the Command and Control server and sends it to other servers.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Tracking Atomic Stealer on Mac OS. Sophisticated Malware Replacing Ledger Live App.
By Moonlock, by MacPaw. Author, Artem Chumak, Malware Research Engineer at Moonlock by MacPaw
Introduction. In our Moonlock lab, we have been closely monitoring the evolution of the Atomic
Stealer. This malware has garnered
our attention due to its rapid development and the sophisticated features it employs.
One particular feature, which we previously highlighted in our X, Twitter, post, stands
out for its advanced capability to replace the legitimate Ledger Live app with a malicious clone.
In this article, we delve deeper into this feature and its implications.
Monitoring and analysis, our team continuously monitors darknet forums and telegram channels used by threat actors. This activity allows us to stay informed about the latest developments
and tactics before they spread among users. By infiltrating these channels, we gain real-time
insights into the latest updates in cyber threats. One of the great sources of information has been the Telegram channel operated by the group behind
the Amos Steeler. This channel not only facilitates the sale of the malware but also provides updates
on its development and deployment. By tracking discussions within this channel, we have been
able to document the evolution of the Atomic Steeler and understand its dynamics. In fact,
the operator's regular
posts give insights into future developments and tactics, allowing us to anticipate potential
changes. Additionally, we learned about the cost of the particular version of Atomic Stealer.
And one day, while monitoring the Telegram channel of the Amos operator,
we came across an advertisement highlighting a new functionality. This new feature involves replacing the Ledger Live app with a malicious clone without the user noticing.
Furthermore, all user actions with the application, such as opening, closing, entering the seed phrase,
and sending the seed phrase, are logged into a separate Telegram channel created by the bot
for monitoring purposes. This functionality is offered as a unique module
designed for regular customers with stable traffic. The module itself is free, but the
operators charge a 30% fee for the balance of each seed phrase collected. Ledger Live app's
infection chain. We were particularly interested in and, therefore, obtained and analyzed this
version of Atomic Stealer that primarily targets the Ledger Live app. Ledger Live is a widely used application for managing cryptocurrency wallets, providing users
with a secure and convenient way to handle their digital assets. Consequently, due to its popularity
and the high value of the assets it manages, it has become a lucrative target for cybercriminals.
Let's examine the infection process, which typically begins when
a user downloads a malicious installer disguised as crack install. DMG. Inside this seemingly
harmless file is the Mako Stealer, a piece of malware designed to execute silently once opened.
Adversaries often provide visual instructions to help victims bypass Gatekeeper. The instructions
guide users to right-click on the crack install file and select, open, to circumvent the security measure.
Upon execution, the Stealer immediately gets to work, replacing key components in the Ledger Live
app. And specifically, it targets files such as app.tsx, pairmynano, tsx, and protect discover
body.tsx, replacing them with malicious versions.
This process effectively creates a clone of the original Ledger Live app.
The malicious clone is designed to mimic the legitimate app's appearance and functionality,
making it difficult for users to detect the compromise.
Key Features
Phishing for seed phrases
One critical feature of the infected Ledger Live app is its ability to display a phishing window.
This window prompts users to enter their seed phrases,
a set of words used to recover cryptocurrency wallets.
The app provides a misleading message to create a false sense of security,
encouraging users to divulge their sensitive information.
Phishing message
Your secret phrase is the secret list of words that you backed up
when you first set up your wallet ledger does not keep a copy of your recovery phrase data
transmission to command and control servers after capturing the seed phrases the malware
deobfuscates the command and control c2 server and transmits the data to http colon slash slash 159 http://159.65.193.64-8080 statistics. This primary server receives the sensitive information,
which the attackers can then exploit. Additionally, the malware sends user
information and execution status to two other servers. http://77.221.298080statistics__v2and http://77221151298080statistics__v5
This multi-layered approach to data exfiltration ensures that the attackers receive comprehensive information about the infected systems. Conclusion
Our analysis of the Atomic Stealer, particularly its ability to target Andre Place the Ledger Live
app, has revealed its advanced capabilities. The Ledger Live clone mimics the real app,
making it difficult for users to detect the compromise.
By logging all user interactions, the attackers can capture
sensitive information, such as seed phrases, which are crucial for accessing cryptocurrency wallets.
To protect yourself, always download software from official sources, avoid clicking on suspicious
links, and use robust security tools like CleanMyMac X with Moonlock engine to detect and block such threats. IOCs, diff of infected and original
Ledger Live app. GitHub GIST 304145C8C242644A7A866383BDAC3C169F944A8C6656B663-663-C-223-DA-1359-FBB-9-SHA-256-DMG-CRACK-INSTALL-0822-CF5C-34341-D-124164-B-1-C-89889-D-ED-C-4050-34E-40-F-D-0-C-8-A-219,859-A-2-C-4-A-5-C-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6-B-6 1 C 8 c sh 8 256
malicious ledger live app component app tsx 8 c 23 decibels 0 1 0 8 8 6 2 6 1 cb 27 a 5 fba a 4550 2 5 8 6 f 4031 cc 60 bda 3 a 8 df 778 d 94 a
3 3 3 5 8 8 8 sh 8 256 malicious ledger live app component pair my nano tsx 9 d 5 bc bd c 256 Malicious Ledger Live App Component Pair MyNano TSX9D5BCBDC139561951256A43CC05DDA3E18DA99FFD
200975BBF0732E90A97C710SHA256 Malicious Ledger Live App Component Protect Discover Body
TSX1E86FD2688E7D0086E243194504318C125A5A7C8A16F-42BF-39BD-90DEBA-793B-SHA-256 Malicious Ledger Live App Component App
Asar, thank you for listening to this HackerNoon story, read by Artificial Intelligence.
Visit HackerNoon.com to read, write, learn and publish.